Thursday, March 28, 2013

SSO + WNA shown from Apache logging

When SSO works with Windows native Authentication, the Apache logging shows this:
10.10.10.116 - - [03/Feb/2011:11:11:34 +0100] "GET /oiddas/ui/oracle/ldap/das/mypage/ViewMyPage HTTP/1.1" 302 1061 10.10.10.116 - - [03/Feb/2011:11:11:34 +0100] "GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4~18DD161D~A37A8CBF4314DD9 AA551F4DFA5DBC40B5D7B61E1396C0594942662F41B9E132434B2A6827A7C8AF4169899CCA89FA01B8563DFC4B111BF65AE799D4708B8229989D77B67B10B13FDC8449C72ECB0C6D8814E6275E1E22E1E536DDF9EF17BB3FD03FCB5DD3A6DA3C89EC4D376161A09D8D9E5838936808C5235CE3566FBA104B1A24061433BE20FD2178B5673B13458AE3B4282378195F07FFE1B80A48937E06B49AD10EBDBC1C8075C67B159D351A50D6FA6AFB1AE60184FD25AD7CCA73251CE4025A2F2FE2057652569555DB5731309ACB2B08C4E2D946225706B993D18B06508541D6878319847E367A845A875AD30 HTTP/1.1" 401 5 10.10.10.116 - - [03/Feb/2011:11:11:34 +0100] "GET /pls/orasso/orasso.wwsso_app_admin.ls_login?Site2pstoreToken=v1.4~18DD161D~A37A8CBF4314DD9AA551F4DFA5DBC40B5D7B61E1396C0594942662F41B9E132434B2A6827A7C8AF4169899CCA89FA01B8563DFC4B111BF65AE799D4708B8229989D77B67B10B13FDC8449C72ECB0C6D8814E6275E1E22E1E536DDF9EF17BB3FD03FCB5DD3A6DA3C89EC4D376161A09D8D9E5838936808C5235CE3566FBA104B1A24061433BE20FD2178B5673B13458AE3B4282378195F07FFE1B80A48937E06B49AD10EBDBC1C8075C67B159D351A50D6FA6AFB1AE60184FD25AD7CCA73251CE4025A2F2FE2057652569555DB5731309ACB2B08C4E2D946225706B993D18B06508541D6878319847E367A845A875AD30 HTTP/1.1" 302 2376 10.10.10.116 - - [03/Feb/2011:11:11:34 +0100] "GET /osso_login_success?urlc=v1.4~B91BA2B6B4D2283E24F682058A4C35BE43BFFF319DE5FB0E6A50B007CDC5E1844775AF69F6375E285E26C8512A0CA1D0CB0E28B1444DB72C22E2C2718EA1CF1D2A00F64C805F7446E9E042F0C5573F04E990990B0227858400313478E4CA9E487CD7D33ED6459C5B6A2581B0378F89CE0DD2C75ABD3010EFE6BD4931F34C66B6C564829EED3C2114EC347A04F321515B6A8613B779A612B94D9F18482FB459870EF605FA9E56998AC3B1E810014978FBC27234F49873F954C9A2595C5A9B73C3AB931AA5060FF950D90ABFB5919E63C059ED7756F640E86B368A701CC31DC51F8D8973F78EE05A85B3F94B8210C94B15FBBE59BA78E9786EF03EF826325A3A3D0B04DF9049BE058810E981DF30ED826A3EFE558E8BFB2A4A775057478E2B81F2C7917875F1407896E33AEB28DCCA1A8028136D7993880B7C09CFD958FEFB15384031B81E6756BFB7FDB2CE4070776721E7BDB735BC7D977966CE51CED0C49A25 HTTP/1.1" 302 391 10.10.10.116 - BORTEL [03/Feb/2011:11:11:35 +0100] "GET /oiddas/ui/oracle/ldap/das/mypage/ViewMyPage HTTP/1.1" 200 20229

What happens in detail is this: 

  1. I request my own details page, /oiddas/ui/oracle/ldap/das/mypage/ViewMyPage. 
  2. I get a redirect (http status 302, the next column entry in the log); 1061 bytes returned. 
  3. The redirected page, orasso.wwsso_app_admin.ls_login, reacts with a status 401, which means Unauthorized - send credentials. 5 bytes are returned to the browser. 
  4. Now, it is up to your browser to supply your credentials (or not). 
  5. If your credentials are accepted, the next page, wwsso_app_admin.ls_login, sends another redirect (302) to osso_login_success. 2376 bytes are sent back. 
  6. The final page, osso_login_success, sends the last redirect (status code 302) to the requested original page. 
  7. Once more, /oiddas/ui/oracle/ldap/das/mypage/ViewMyPage appears in the Apache logs, but with two major changes: 
    • my account (BORTEL) is mentioned. 
    • The return status is 200 (success, normal completion). The page contains 20229 bytes.

Monday, March 18, 2013

Configuring Identiy and Access Management 11GR2

In a nutshell:

Start nodemenager
/oracle/middleware/wlserver_10.3/server/bin/startNodeManager.sh
Configure the Identity and Management Suite:
/oracle/middleware/Oracle_IDM1/bin/config.sh
DO NOT START YOUR MANAGED SERVERS!!! There's an omission in the manual... You need to configure the database as security placeholder first. You do that by
/oracle/middleware/oracle_common/common/bin/wlst.sh \ /oracle/middleware/Oracle_IDM1/common/tools/configureSecurityStore.py \ -d /oracle/middleware/user_projects/domains/OAM_domain \ -c IAM -p welcome01 -m create
Now you can start your managed servers.

For some reason, I needed to create a Machine, and add the AdminServer and OAM managed servers to it. Have seen this twice, now.

Then, change the nodemanager.properties file (see [ID 1275344.1]), as it failed to start: 11G OAM_SERVER1 Managed Server Fails To Start With [Security:097533] SecurityProvider Service Class Name For IDMDomainAgent Is Not Specified.
 Weblogic console: overview od oam_server1

Access manager console

Sunday, March 17, 2013

Configuring OID onto the existing IDM domain

Easy enough, when you know how ;)

Start database & listener (of course, your environment is set):
lsnrctl start sqlplus / as sysdba<<EOF startup EOF

Start nodemanager.
/oracle/middleware/wlserver_10.3/server/bin/startNodeManager.sh &

Start the managed servers:
/oracle/middleware/user_projects/domains/OAM_domain/startWebLogic.sh &

Now, start the OID configuration:
/oracle/middleware/Oracle_OID/bin/config.sh

I will be expanding the existing domain
so I need to provide the admin server credentials.
Once that's done, I can choose were to put the
software
Always go for Automatic - see my earlier
article about OID not wanting to run
on privileged ports.