SSO configuration in UCM architechture /SSL configuration for UCM

SSO-SSL configuration :

OHS Server configuration before installing Certificate:

Prerequisites:

--Give ownership and  permission as root user to “.apachectl” file as shown below:

-rwsr-s---  1 root     dba  13262 Oct 28  2009 .apachectl  

Location of file :$ORACLE_HOME/ohs/bin

Module Used for ssl : mod_ossl

This module provides SSL v3 and TLS v1.x support for the Apache HTTP Server.

This module relies on  Openssl to provide the cryptography engine.

configuration files involved  in SSO-SSL configuration:

1.httpd.conf

2.ssl.conf

3.mod_wl_ohs.conf

4.mod_osso.conf

5.osso.conf(Encrypted file received from sso team)

///////////////// Changes done in httpd.conf File//////////////////////////

Location of file: $INSTANCE_HOME/config/OHS/ohs1

Listen <IP>:80 (ip of <servername>)

LoadModule ossl_module  "$ORACLE_HOME/ohs/modules/mod_ossl.so"

<IfModule mod_proxy_balancer>

LoadModule proxy_balancer_module "${ORACLE_HOME}/ohs/modules/mod_proxy_balancer.so"

</IfModule>

<IfModule !mpm_winnt_module>

User orpgmkct

Group dba

</ IfModule>

ServerName <DNS_ALIAS>

RewriteEngine on

RewriteRule  ^/(.*)$  https://<DNS_ALIAS>/$1 [R=301,NC]

RewriteRule  ^/$  https://<DNS_ALIAS>/ [R=301,NC]

RewriteRule ^/cs  https://<DNS_ALIAS>/cs [R=301,NC]

RewriteRule  ^https://login.oracle.com/pls/orasso/orasso.wwsso_app_admin.ls_logout?p_done_url=https://<DNS_ALIAS>/$  https://<DNS_ALIAS>/ [R=301,NC]

include "$ORACLE_HOME/instances/instance3/config/OHS/ohs1/ssl.conf"

include "$ORACLE_HOME/instances/instance3/config/OHS/ohs1/moduleconf/mod_osso.conf"

////////////////////////// Changes done in ssl.conf file///////////////////////////////////////////////

Location of file: $INSTANCE_HOME/config/OHS/ohs1

LoadModule ossl_module $ORACLE_HOME/ohs/modules/mod_ossl.so

Listen <IP>:443

<VirtualHost *:443>

ServerName <DNS_ALIAS>:443

RewriteEngine on

RewriteRule ^/$ /cs/idcplg?IdcService=SS_GET_PAGE&siteId=GMKP [PT]

SSLWallet "$ORACLE_HOME/instances/instance3/config/OHS/ohs1/certs"

SSLEngine on

SSLOptions +StrictRequire

SSLCipherSuite ALL:!ADH:!EXPORT:+SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW

SSLVerifyClient  none

</VirtualHost>

////////////////////////// Changes done in mod_wl_ohs.conf file////////////////////////////////

Location of file: $INSTANCE_HOME/config/OHS/ohs1

LoadModule weblogic_module   "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"

<IfModule mod_weblogic.c>

WebLogicHost <DNS_ALIAS>

WebLogicPort 10100

#Debug ON

FileCaching OFF

#WLLogFile /u10/app/GMKPDB/orgmkpdb/oracle/Middleware/Oracle_WT1/instances/instance1/diagnostics/logs/OHS/ohs1/weblogic_ohs.log

</IfModule>

<Location /cs>

      SetHandler weblogic-handler

      WebLogicHost <IP>

      WebLogicPort 10100

      #PathPrepend /login

      #DefaultFileName login.htm

      MatchExpression *.*  WebLogicHost=<IP>|WebLogicPort=10100

 </Location>

 <Location />

      SetHandler weblogic-handler

      WebLogicHost <IP>

      WebLogicPort 10100

      #PathPrepend /login

      #DefaultFileName login.htm

      MatchExpression *.*  WebLogicHost=<IP>|WebLogicPort=10100

 </Location>

<Location /osso_login_success>

     SetHandler osso_login_success_handler

</Location>

<Location /osso_logout_success>

     SetHandler osso_logout_success_handler

</Location>

<Location /adfAuthentication>

      SetHandler weblogic-handler

      WebLogicHost <IP>

      WeblogicPort 10100

 </Location>

//////////////////////////////Changes done in mod_osso.conf file//////////////////////////////////////

Location of file: $ORACLE_HOME/instances/instance3/config/OHS/ohs1/moduleconf

OssoConfigFile $ORACLE_HOME/instances/instance3/config/OHS/ohs1/osso.conf

===================================================================

Certificate files management and installation:

Prerequisites: HTTP server should have configured with” port 80” for http requests and “port 443” for https requests and and both port should be opened for requests.(Which has been done  in previous part server configuration)

Steps followed to configure SSO-SSL on server “<servername>”:

Step-1: Getting DNS name/DNS alias  for server <servername> as “<DNS_ALIAS>”

Step-2:Generate private key for server in $INSTANCE_HOME/config/OHS/ohs1/certs (certs directory created to keep certificate) and save it as “private.key”

Step-3:Create a wallet on server and request for certificate basically called as Certificate Signing Request(CSR)  with following Values:

CN: <DNS_ALIAS>(DNS alias)

And all other vales as required…

Common Name: Enter the exact host and domain name that you require to secure. (Must be the Fully Qualified Domain Name: www.yourdomain.com)

Organizational Unit: Enter the name of the identity's Organizational Unit. (Example: Support)

Organization: Enter the name of the identity's Organization. (Example: ABC Corp)

Locality/City: Enter the name of the locality or city in which the identity resides.

State/Province: Enter the full name of the state or province in which the identity resides.

Country: Choose the drop-down list to view a list of country abbreviations. Select the country in which the Organization is located.

Key Size: Choose the drop-down box to view a list of key sizes to use when creating the public/private key pair.

Advanced: DO NOT ENTER ANY INFORMATION

Export CSR into text file for submission to a Certification Authority

Save the file as <anyname>.csr

Note: Remember Wallet path and password .

Step-4:Get the Certificate acknowledgement form SSL team  along with rootCA and IntermediateCA  or CA certificate which combining both root and intermediate CA certificate file (download link).

And

Later get certificate contents from SSL team and copy contents to notepad and save it as public.crt

Step-5: Copy  certificates from step3 to the server’s certificate directory created in $INSTANCE_HOME/config/OHS/ohs1/certs.

Step-6: Below certificate have to be installed in server configuration .:

·         rootCA certificate

·         Oracle SSL CA certificate

·         SSL certificate(entity)

Planning to keep certificates in wallet as follows:

Before importing certificate files in to  wallet export all files in pkcs12 format to a wallet file :

$ openssl pkcs12 -export -out ewallet.p12 -inkey private.key -in public.crt -certfile Combined-VTN-Oracle.pem

In our case in server <servername>   cartificates are in

$ORACLE_HOME/instances/instance3/config/OHS/ohs1/certs/    location

And  fired same above command to export those certificates as pkcs12 format into a wallet file “ewallet.p12” .

Step-7: Copy ewallet.p12 file to wallet directory created in Step-3.

Step-8: Restart Server

Stop services

./opmnctl stopall

And start services

./opmnctl startall

Checked certificate with below command…..

$ openssl s_client -showcerts -connect <DNS_ALIAS>:443

It should give output as:

    Verify return code: 0 (ok)
=====================

Issue & Solution : Error on accessing url:
"You should have been redirected to https://<old DNS url >/gdgp/index.html."
 To resolve error we should configure new DNS as HttpServer url  in config.cfg file of UCM server which is residing in "$DOMAIN_HOME/ucm/cs/config/" location and make sure to restart UCM server after changing http server parameter.


Some Steps to be done  on admin console as part of SSO configuration :

Home >Summary of Security Realms >myrealm >Providers

 

Create datasource  for SQL authenticator:

Path to go >>  Home >Summary of JDBC Data Sources

Using Datasource configure SQL Authenticator and put values as required :

 

Setting for SSO Identity Asserter :

 

Settings for myrealm  for user:

 

Settings for myrealm  for group:

 

Restart Admin server and test URL:

Now We Can access URL from browser ………………………….

==========================================================================================================================================================================