IBM Tivoli Access Manager for e-business Oracle9iAS Portal / Single Sign-On (Release 2) Integration I Copyright Notice © Copyright IBM Corporation 2001. All rights reserved. May only be used pursuant to a Tivoli Systems Software License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any computer language, in any form or by any means, electronic, mechanical, magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable documentation for your own use, provided that each such reproduction shall carry the IBM Corporation copyright notice. No other rights under copyright are granted without prior written permission of IBM Corporation. The document is not intended for production and is furnished “as is” without warranty of any kind. All warranties on this document are hereby disclaimed, including the warranties of merchantability and fitness for a particular purpose. U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corporation. Trademarks IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Cross-Site, NetView, OS/2, Planet Tivoli, RS/6000, Tivoli Certified, Tivoli Enterprise, Tivoli Enterprise Console, Tivoli Ready, and TME are trademarks or registered trademarks of International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or both. Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both. UNIX is a registered trademark of The Open Group in the United States and other countries. Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other countries, or both. Notices References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products, programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any functionally equivalent product, program, or service can be used instead of the referenced product, program, or service. The evaluation and verification of operation in conjunction with other products, except those expressly designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents or pending patent applications covering subject matter in this document. The furnishing of this document does not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A. II Table of Contents Table of Contents ....................................................................................................................................................... iii Document History....................................................................................................................................................... iv Abstract ....................................................................................................................................................................... 1 About Oracle9i Application Server ............................................................................................................................ 2 About IBM Tivoli Access Manager for e-business ................................................................................................... 3 Integration Architecture.............................................................................................................................................. 5 Integration Diagram ............................................................................................................................................. 5 Software Versions ............................................................................................................................................... 5 Oracle ........................................................................................................................................................... 5 IBM Tivoli Access Manager for e-business ................................................................................................ 5 Configuration Procedure............................................................................................................................................ 6 IBM Tivoli Access Manager for e-business........................................................................................................ 6 Oracle9iAS........................................................................................................................................................... 6 Testing the Configuration .................................................................................................................................... 8 Troubleshooting ................................................................................................................................................... 8 Appendix – Oracle-supported Database Modules................................................................................................... 9 III Document History Version 1.0 Date 05/21/2002 Description Created from 9iAS Release 1 document. By Neil Readshaw IV Abstract IBM Tivoli Access Manager for e-business provides single sign-on and centrally managed authorization solutions to the Enterprise. This document describes how IBM Tivoli Access Manager can be configured to provide single sign-on to the suite of Oracle9iAS components. Oracle9iAS components authenticate through the Oracle9iAS Single SignOn Server, which in turn can delegate authentication to a third-party single sign-on server, such as Tivoli Access Manager. By providing the integration of the Oracle9iAS Single Sign-On Server with Tivoli Access Manager, single sign-on access to Oracle’s suite of SSO-enabled web-based applications is automatically achieved. Oracle9iAS Portal is used as a specific example. 1 About Oracle9i Application Server From the Oracle web site: Oracle9i Application Server (Oracle9iAS) is the industry's fastest, most complete and integrated J2EE application server. Oracle9iAS can save you money with built-in portal software, wireless and voice, Web page caching, powerful business intelligence features, complete integration, and more, pre-integrated in a single product. Oracle9iAS supports all major J2EE, Web services and XML industry standards, and its open and integrationready architecture ensures that your Web applications can integrate with your IT environment. SINGLE SIG-ON IN ORACLE 9iAS The Oracle9i Application Server (Oracle9iAS) provides a comprehensive, standard, and extensible set of security services for deploying business applications on the web, including single sign-on (SSO), directory, and Java security services. These services allow users to integrate custom business logic and third party products with Oracle web applications and tools in a single security framework. DIRECTORY-ENABLED SECURITY VIA OID Oracle has standardized on LDAP as the common mechanisam for Oracle products to manage enterprise information about users and services in the enterprise. To support this, Oracle has developed a highly scalable, reliable, and sec re LDAPv3-co pliant directory, Oracle Internet Directory (OID) based on Oracle9i’s proven database technology. OID provides LDAP directory services to Oracle products, and Oracle products in turn certify their LDAP implementation against OID. JAVA SECURITY IN ORACLE 9IAS The Oracle9iAS JAAS provider implements the Java2 Security Model, allowing application developers to obtain authenticated user (principal) identity fro a set of standard authentication services provided by JAAS, and to manage the privileges which principals have for accessing objects. It also supports privilege delegation, for managing privileges of methods invoked by principals. JAAS AUTHENTICATION The Oracle9iAS JAAS provider supports a flexible authentication framework. It provides specific mechanisms for authentication, based on SSL and SSO, but also allows developers to integrate custom authentication modules through the standard JAAS Login Mod le API. JAAS AUTHORIZATION In addition to providing a complete role-based access control model for authorization, the Oracle9iAS JAAS implementation provides developers with architectural flexibility when managing authorizations. Choices include managing authorization centrally using LDAP, and through the file system via an XML-based API. 2 About IBM Tivoli Access Manager for e-business Under the Tivoli brand, IBM Software Group produces a suite of security management products. The full suite includes: IBM Tivoli Access Manager IBM Tivoli Identity Manager IBM Tivoli Intrusion Manager IBM Tivoli Privacy Manager IBM Tivoli Access Manager is a robust and secure policy management tool for e-business and distributed applications. It addresses the challenges of escalating costs for e-business security, growing complexity of enterprise security solutions, and the inability to implement security policies across platforms. Through its highly available centralized authorization service, IBM Tivoli Access Manager enables better management of business-critical distributed information. It provides simple, secure access to critical information, and enhances communications with customers, business partners, and others. Secure, Unified User Experience Servlet/JSP J2EE Servers EJB Portals CRM ERP E-Business Platforms and Solutions XML/Web Services Domino CORBA MQSeries Enterprise Application Integration Windows UNIX OS/390 Operating Systems IBM Tivoli Access Manager Security Platform Multi-Enterprise Delegated Management Figure 1: IBM Tivoli Access Manager IBM Tivoli Access Manager provides authentication and access control services for Web resources. The WebSEAL server, a component of IBM Tivoli Access Manager for ebusiness, manages access to all Web servers—regardless of their platforms. This allows an organization to centrally control their Web resources as a single, logical Web space. IBM Tivoli Access Manager for Business Integration provides protection for MQSeries messages. It allows MQSeries applications to send data with confidentiality and integrity using keys associated with the sending and receiving users. The IBM Tivoli Access Manager authorization service provides access control to MQSeries based services, 3 restricting which users or processes can and cannot put messages on queues or get messages from queues. IBM Tivoli Access Manager also provides application APIs to allow in-house developed applications to access IBM Tivoli Access Manager services. IBM Tivoli Access Manager supports the J2EE standard JAAS (Java Authentication and Authorization Service) to allow native Java applications to access IBM Tivoli Access Manager for authorization decisions. IBM Tivoli Access Manager also provides an implementation of the Open Group’s standard authorization C-language API (AznAPI) to allow applications that want to call out to a C API to use the IBM Tivoli Access Manager authorization and entitlements services. IBM Tivoli Access Manager provides a robust web-based delegated security administration utility that allows delegate security administration to members of their eCommunity. IBM Tivoli Access Manager is also the backbone for IBM Tivoli Privacy Manager, a product that helps implement e-business privacy policies. 4 Integration Architecture Integration Diagram Software Versions Oracle Oracle9iAS Portal Release 2 IBM Tivoli Access Manager for e-business This integration will work with versions of IBM Tivoli Access Manager for e-business including Tivoli Policy Director WebSEAL 3.8 with e-Fix 7, Tivoli Access Manager WebSEAL 3.9 with e-Fix 1, and above. The lab work was performed with IBM Tivoli Access Manager for e-business Version 3.9 with WebSEAL e-Fix 1. 5 Configuration Procedure IBM Tivoli Access Manager for e-business After completing a standard installation and configuration of the WebSEAL component and its dependencies, the following additional configuration is required. 1. Create junctions to the various Oracle9iAS web server components. components (and default operating ports) are: Component Default Port Infrastructure Web Server 7777 Infrastructure Web Cache 7778 Portal Web Server 7779 Those 2. For each junction, follow the notes below when selecting junction parameters. a. It is important that the user id be passed to the application server by using the “-c iv_user” flag. b. Ensure that the hostname supplied with the “-h” parameter is the fullyqualified DNS name of the application server machine. c. If the server is running on a non-default HTTP port, add the “–v <fqdn>:<port>” parameter to the junction creation command. d. Add “–j” to the junction options to ensure that JavaScript is filtered correctly. e. Ensure that the “script-filter” parameter is set to “yes” in webseald.conf. Oracle9iAS Oracle provides an option for integrating with third-party single sign-on systems, with Oracle9iAS Single Sign-On Server. It provides an external authentication implementation for IBM Tivoli Access Manager for e-business. It leverages the fact the WebSEAL will set the HTTP_IV_USER CGI environment variable after successfully authenticating the user. This module obtains the user's identity from this variable and sets it as the SSO user name for all Login Server (Oracle9iAS Single SignOn) to partner application communication. Installing this module requires these steps: 1. Ensure that Oracle9iAS Portal works in standalone mode, prior to integrating with Tivoli Access Manager. 6 2. Ensure that the HTTP_IV_USER CGI variable is passed to the PLSQL environment. Note: this step must be repeated for both ORACLE_HOME environments – one for the Release 2 infrastructure, one for the Portal. Edit the dads.conf file in $IAS_HOME/Apache/modplsql/cfg to include the following directive in all location stanzas: PlsqlCGIEnvironmentList HTTP_IV_USER This will add the HTTP_IV_USER CGI variable to the list of CGI environment variables passed by modplsql to the PLSQL environment to make it available to the Oracle9iAS Single Sign-On server's procedures, for inspection. Restart the HTTP server to read the new configuration information: # $ORACLE_HOME/dcm/bin/dcmctl stop c- ohs # $ORACLE_HOME/dcm/bin/dcmctl start c- ohs 3. Verify ServerName (the name of the host on which Oracle9iAS is installed) is set correctly in $IAS_HOME/Apache/httpd.conf - ensure that it is correct, and lowercase (particularly on Windows 2000 systems). If a change was made, restart the HTTP server to read the new configuration information. 4. Install the Oracle9iAS Single Sign-On Server external auth module in place of the default. $ sqlplus orasso/orasso SQL> @ssowbsl.sql Package body created. No errors. PL/SQL procedure successfully completed. Commit complete. No errors. SQL> quit 7 $ Testing the Configuration Use a URL similar to the one below to access the welcome page of the portal. http[s]://<webseal-server>/<oracle-portal-junction>/pls/portal Click on the Login link in the top right hand corner of the portal to gain access to the authenticated portal content. Troubleshooting 1. Ensure that all Oracle patches are correctly applied as described in the Oracle Release Notes. 8 Appendix – Oracle-supported Database Modules Load script and authentication module (Step 4 above) 9 © International Business Machines Corporation, 2001. IBM, the IBM logo, e(logo), DB2, and WebSphere are trademarks or registered trademarks of IBM Corporation in the United States, other countries, or both. Lotus is a trademark of Lotus Development Corporation and/or IBM Corporation in the United States, other countries, or both. Tivoli is a trademark of Tivoli Systems Inc. and/or IBM Corporation in the United States, other countries, or both. Pantone is a trademark of Pantone Inc. Other company, product and service names may be trademarks or service marks of others. 10