IBM Tivoli Access Manager for e-business

IBM Tivoli Access Manager for e-business
Oracle9iAS Portal / Single Sign-On
(Release 2) Integration
I
Copyright Notice
© Copyright IBM Corporation 2001. All rights reserved. May only be used pursuant to a Tivoli Systems Software
License Agreement, an IBM Software License Agreement, or Addendum for Tivoli Products to IBM Customer or
License Agreement. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval
system, or translated into any computer language, in any form or by any means, electronic, mechanical,
magnetic, optical, chemical, manual, or otherwise, without prior written permission of IBM Corporation. IBM
Corporation grants you limited permission to make hardcopy or other reproductions of any machine-readable
documentation for your own use, provided that each such reproduction shall carry the IBM Corporation
copyright notice. No other rights under copyright are granted without prior written permission of IBM
Corporation. The document is not intended for production and is furnished “as is” without warranty of any kind.
All warranties on this document are hereby disclaimed, including the warranties of merchantability and
fitness for a particular purpose.
U.S. Government Users Restricted Rights—Use, duplication or disclosure restricted by GSA ADP Schedule
Contract with IBM Corporation.
Trademarks
IBM, the IBM logo, Tivoli, the Tivoli logo, AIX, Cross-Site, NetView, OS/2, Planet Tivoli, RS/6000, Tivoli Certified,
Tivoli Enterprise, Tivoli Enterprise Console, Tivoli Ready, and TME are trademarks or registered trademarks of
International Business Machines Corporation or Tivoli Systems Inc. in the United States, other countries, or
both.
Microsoft, Windows, Windows NT, and the Windows logo are trademarks of Microsoft Corporation in the United
States, other countries, or both.
UNIX is a registered trademark of The Open Group in the United States and other countries.
Java and all Java-based trademarks are trademarks of Sun Microsystems, Inc. in the United States, other
countries, or both.
Notices
References in this publication to Tivoli Systems or IBM products, programs, or services do not imply that they
will be available in all countries in which Tivoli Systems or IBM operates. Any reference to these products,
programs, or services is not intended to imply that only Tivoli Systems or IBM products, programs, or services
can be used. Subject to valid intellectual property or other legally protectable right of Tivoli Systems or IBM, any
functionally equivalent product, program, or service can be used instead of the referenced product, program, or
service. The evaluation and verification of operation in conjunction with other products, except those expressly
designated by Tivoli Systems or IBM, are the responsibility of the user. Tivoli Systems or IBM may have patents
or pending patent applications covering subject matter in this document. The furnishing of this document does
not give you any license to these patents. You can send license inquiries, in writing, to the IBM Director of
Licensing, IBM Corporation, North Castle Drive, Armonk, New York 10504-1785, U.S.A.
II
Table of Contents
Table of Contents ....................................................................................................................................................... iii
Document History....................................................................................................................................................... iv
Abstract ....................................................................................................................................................................... 1
About Oracle9i Application Server ............................................................................................................................ 2
About IBM Tivoli Access Manager for e-business ................................................................................................... 3
Integration Architecture.............................................................................................................................................. 5
Integration Diagram ............................................................................................................................................. 5
Software Versions ............................................................................................................................................... 5
Oracle ........................................................................................................................................................... 5
IBM Tivoli Access Manager for e-business ................................................................................................ 5
Configuration Procedure............................................................................................................................................ 6
IBM Tivoli Access Manager for e-business........................................................................................................ 6
Oracle9iAS........................................................................................................................................................... 6
Testing the Configuration .................................................................................................................................... 8
Troubleshooting ................................................................................................................................................... 8
Appendix – Oracle-supported Database Modules................................................................................................... 9
III
Document History
Version
1.0
Date
05/21/2002
Description
Created from 9iAS Release 1 document.
By
Neil Readshaw
IV
Abstract
IBM Tivoli Access Manager for e-business provides single sign-on and centrally managed
authorization solutions to the Enterprise. This document describes how IBM Tivoli Access
Manager can be configured to provide single sign-on to the suite of Oracle9iAS
components. Oracle9iAS components authenticate through the Oracle9iAS Single SignOn Server, which in turn can delegate authentication to a third-party single sign-on server,
such as Tivoli Access Manager. By providing the integration of the Oracle9iAS Single
Sign-On Server with Tivoli Access Manager, single sign-on access to Oracle’s suite of
SSO-enabled web-based applications is automatically achieved. Oracle9iAS Portal is
used as a specific example.
1
About Oracle9i Application Server
From the Oracle web site:
Oracle9i Application Server (Oracle9iAS) is the industry's fastest, most complete and
integrated J2EE application server. Oracle9iAS can save you money with built-in portal
software, wireless and voice, Web page caching, powerful business intelligence features,
complete integration, and more, pre-integrated in a single product. Oracle9iAS supports all
major J2EE, Web services and XML industry standards, and its open and integrationready architecture ensures that your Web applications can integrate with your IT
environment.
SINGLE SIG-ON IN ORACLE 9iAS
The Oracle9i Application Server (Oracle9iAS) provides a comprehensive, standard, and
extensible set of security services for deploying business applications on the web,
including single sign-on (SSO), directory, and Java security services. These services allow
users to integrate custom business logic and third party products with Oracle web
applications and tools in a single security framework.
DIRECTORY-ENABLED SECURITY VIA OID
Oracle has standardized on LDAP as the common mechanisam for Oracle products to
manage enterprise information about users and services in the enterprise. To support
this, Oracle has developed a highly scalable, reliable, and sec re LDAPv3-co pliant
directory, Oracle Internet Directory (OID) based on Oracle9i’s proven database
technology. OID provides LDAP directory services to Oracle products, and Oracle
products in turn certify their LDAP implementation against OID.
JAVA SECURITY IN ORACLE 9IAS
The Oracle9iAS JAAS provider implements the Java2 Security Model,
allowing application developers to obtain authenticated user (principal)
identity fro a set of standard authentication services provided by JAAS, and
to manage the privileges which principals have for accessing objects.
It also supports privilege delegation, for managing privileges of methods
invoked by principals.
JAAS AUTHENTICATION
The Oracle9iAS JAAS provider supports a flexible authentication framework. It provides
specific mechanisms for authentication, based on SSL and SSO, but also allows
developers to integrate custom authentication modules through the standard JAAS Login
Mod le API.
JAAS AUTHORIZATION
In addition to providing a complete role-based access control model for authorization, the
Oracle9iAS JAAS implementation provides developers with architectural flexibility when
managing authorizations. Choices include managing authorization centrally using LDAP,
and through the file system via an XML-based API.
2
About IBM Tivoli Access Manager for e-business
Under the Tivoli brand, IBM Software Group produces a suite of security management
products. The full suite includes:

IBM Tivoli Access Manager

IBM Tivoli Identity Manager

IBM Tivoli Intrusion Manager

IBM Tivoli Privacy Manager
IBM Tivoli Access Manager is a robust and secure policy management tool for e-business
and distributed applications. It addresses the challenges of escalating costs for e-business
security, growing complexity of enterprise security solutions, and the inability to implement
security policies across platforms. Through its highly available centralized authorization
service, IBM Tivoli Access Manager enables better management of business-critical
distributed information. It provides simple, secure access to critical information, and
enhances communications with customers, business partners, and others.
Secure, Unified
User Experience
Servlet/JSP
J2EE
Servers
EJB
Portals
CRM
ERP
E-Business Platforms
and Solutions
XML/Web
Services
Domino
CORBA
MQSeries
Enterprise Application
Integration
Windows
UNIX
OS/390
Operating
Systems
IBM Tivoli Access Manager Security Platform
Multi-Enterprise Delegated
Management
Figure 1: IBM Tivoli Access Manager
IBM Tivoli Access Manager provides authentication and access control services for Web
resources. The WebSEAL server, a component of IBM Tivoli Access Manager for ebusiness, manages access to all Web servers—regardless of their platforms. This allows
an organization to centrally control their Web resources as a single, logical Web space.
IBM Tivoli Access Manager for Business Integration provides protection for MQSeries
messages. It allows MQSeries applications to send data with confidentiality and integrity
using keys associated with the sending and receiving users. The IBM Tivoli Access
Manager authorization service provides access control to MQSeries based services,
3
restricting which users or processes can and cannot put messages on queues or get
messages from queues.
IBM Tivoli Access Manager also provides application APIs to allow in-house developed
applications to access IBM Tivoli Access Manager services. IBM Tivoli Access Manager
supports the J2EE standard JAAS (Java Authentication and Authorization Service) to
allow native Java applications to access IBM Tivoli Access Manager for authorization
decisions. IBM Tivoli Access Manager also provides an implementation of the Open
Group’s standard authorization C-language API (AznAPI) to allow applications that want to
call out to a C API to use the IBM Tivoli Access Manager authorization and entitlements
services.
IBM Tivoli Access Manager provides a robust web-based delegated security
administration utility that allows delegate security administration to members of their
eCommunity.
IBM Tivoli Access Manager is also the backbone for IBM Tivoli Privacy Manager, a
product that helps implement e-business privacy policies.
4
Integration Architecture
Integration Diagram
Software Versions
Oracle
Oracle9iAS Portal Release 2
IBM Tivoli Access Manager for e-business
This integration will work with versions of IBM Tivoli Access Manager for e-business
including Tivoli Policy Director WebSEAL 3.8 with e-Fix 7, Tivoli Access Manager
WebSEAL 3.9 with e-Fix 1, and above. The lab work was performed with IBM Tivoli
Access Manager for e-business Version 3.9 with WebSEAL e-Fix 1.
5
Configuration Procedure
IBM Tivoli Access Manager for e-business
After completing a standard installation and configuration of the WebSEAL component
and its dependencies, the following additional configuration is required.
1. Create junctions to the various Oracle9iAS web server components.
components (and default operating ports) are:
Component
Default Port
Infrastructure Web Server
7777
Infrastructure Web Cache
7778
Portal Web Server
7779
Those
2. For each junction, follow the notes below when selecting junction parameters.
a.
It is important that the user id be passed to the application server by using the
“-c iv_user” flag.
b.
Ensure that the hostname supplied with the “-h” parameter is the fullyqualified DNS name of the application server machine.
c.
If the server is running on a non-default HTTP port, add the “–v
<fqdn>:<port>” parameter to the junction creation command.
d.
Add “–j” to the junction options to ensure that JavaScript is filtered correctly.
e.
Ensure that the “script-filter” parameter is set to “yes” in webseald.conf.
Oracle9iAS
Oracle provides an option for integrating with third-party single sign-on systems, with
Oracle9iAS Single Sign-On Server. It provides an external authentication implementation
for IBM Tivoli Access Manager for e-business.
It leverages the fact the WebSEAL will set the HTTP_IV_USER CGI environment variable
after successfully authenticating the user. This module obtains the user's identity from this
variable and sets it as the SSO user name for all Login Server (Oracle9iAS Single SignOn) to partner application communication.
Installing this module requires these steps:
1. Ensure that Oracle9iAS Portal works in standalone mode, prior to
integrating with Tivoli Access Manager.
6
2. Ensure that the HTTP_IV_USER CGI variable is passed to the PLSQL
environment.
Note: this step must be repeated for both ORACLE_HOME
environments – one for the Release 2 infrastructure, one for the Portal.
Edit the dads.conf file in $IAS_HOME/Apache/modplsql/cfg to include the
following directive in all location stanzas:
PlsqlCGIEnvironmentList
HTTP_IV_USER
This will add the HTTP_IV_USER CGI variable to the list of CGI
environment variables passed by modplsql to the PLSQL environment to
make it available to the Oracle9iAS Single Sign-On server's procedures,
for inspection.
Restart the HTTP server to read the new configuration information:
# $ORACLE_HOME/dcm/bin/dcmctl stop c- ohs
# $ORACLE_HOME/dcm/bin/dcmctl start c- ohs
3. Verify ServerName (the name of the host on which Oracle9iAS is
installed) is set correctly in $IAS_HOME/Apache/httpd.conf - ensure that it
is correct, and lowercase (particularly on Windows 2000 systems). If a
change was made, restart the HTTP server to read the new configuration
information.
4. Install the Oracle9iAS Single Sign-On Server external auth module in
place of the default.
$ sqlplus orasso/orasso
SQL> @ssowbsl.sql
Package body created.
No errors.
PL/SQL procedure successfully completed.
Commit complete.
No errors.
SQL> quit
7
$
Testing the Configuration
Use a URL similar to the one below to access the welcome page of the portal.
http[s]://<webseal-server>/<oracle-portal-junction>/pls/portal
Click on the Login link in the top right hand corner of the portal to gain access to the
authenticated portal content.
Troubleshooting
1. Ensure that all Oracle patches are correctly applied as described in the Oracle Release
Notes.
8
Appendix – Oracle-supported Database Modules
Load script and authentication module (Step 4 above)
9
© International Business Machines Corporation, 2001. IBM, the IBM logo, e(logo), DB2, and WebSphere are trademarks
or registered trademarks of IBM Corporation in the United States, other countries, or both. Lotus is a trademark of Lotus
Development Corporation and/or IBM Corporation in the United States, other countries, or both. Tivoli is a trademark of
Tivoli Systems Inc. and/or IBM Corporation in the United States, other countries, or both. Pantone is a trademark of
Pantone Inc. Other company, product and service names may be trademarks or service marks of others.
10