JD Edwards
Single Sign On…. You click on your browser favorite (or manually type the URL
in the address field) and JDE opens without asking you to sign-in but use your
Windows PC account to authenticate via the domain Active Directory... This is
what I was asked to configure a few months ago. I always wondered if Oracle had
an “add-on” to do this easily…. And I quickly discovered that they did NOT! But
I did IT!
When searching
the Oracle support website for information, this is what I found:
Will
SSO implementation eliminate the login screen for users on HTML client
workstation?
Is
the Unifed Logon Process possible in HTML/Web clients?
Is
there a way to eliminate the login screen for Web clients?
To make it short, the same answer
for the three questions was: NO so back
to the drawing board, I wasn’t going to find an easy way through…
After a little digging in Server
Manager I found the following in the Network Settings of my HTML instance
([SECURITY] section in the JAS.INI):
Enable
Oracle Single Sign-on
Enable
Oracle Access Manager
Oracle Single Sign-on…. Sounds good…
What could it be…? Google it! Forget it…. You login to an Oracle “portal” which
then, when you select JD Edwards in the portal sends you straight to the
application without a JDE login screen. Good but not good enough, you still
have a login screen (OK not JDE but you HAVE a login screen) and on top of that
you have to use OID: the Oracle Active Directory… which means migrating all my Windows
AD to OID: NO WAY!
So... Last option: OAM. This is what
Oracle tells me about OAM:
"Oracle Access Manager 11g is a Java
Platform, Enterprise Edition (Java EE)-based enterprise-level security
application that provides restricted access to confidential information and
centralized authentication and authorization services. All existing access
technologies in the Oracle Identity Management stack converge in Oracle Access
Manager 11g."
Sounds alright, and OAM seems a lot
more flexible that the Oracle Portal, ie you can use protocols such as SAML or
Kerberos to configure Windows Native Authentication (WNA) and “remove” the OAM
login screen and keep my Windows AD… spot on!
Here are the steps to install all
this:
To install Oracle Identity and Access
Management, you must obtain the following software:
• Oracle WebLogic Server 11g Release
1 (10.3.5).
• Oracle Repository Creation Utility
(11.1.2).
• Oracle Identity and Access
Management Suite (11.1.2).
• Oracle WebTier
Utilities (11.1.1.7).
• Oracle Webgate.
Creating Database Schema using RCU
You must create and load the
appropriate Oracle Fusion Middleware schemas in the database using RCU before
installing and configuring Oracle Identity and Access Management components.
Before running RCU, ensure that you have the database connection string, port,
administrator credentials, and service name ready. When you run RCU, create and
load only the following schemas for the Oracle Identity and Access Management
component you are installing—do not select any other schema available in RCU:
To install the database software,
follow the steps below:
- Log on as a member of the
Administrators group for the computer on which you want to install Oracle
components.
- Fom the downloaded directory (
D:\OracleSSO\rcu), double-click rcu.bat to start Oracle Universal Installer.
- Select Create and then Next.
- Enter your Database details.
- Select
Components as below:
- Click Finish, the required schemas
for OAM will be created.
Installing
Oracle Access Management (11.1.2)
To install the Oracle Oracle
Identity and Access Management, follow the steps below:
- Invoke the setup.exe -jreLoc
D:\Java\jrockit-jdk1.6.0_24-R28.1.3-4.0.1 from the staging area
(C:\Users\admin_jde\Downloads\Oracle Identity and Access Management 11g
(11.1.2.0.0)\Disk1).
- Click Next on Welcome screen.
- If you don't want to receive the
security updates, then Uncheck "I wish to receive security updates via My
Oracle Support. " option, Click Next and press Yes button.
- The installer performs
prerequisite checks. Be sure to correct any failures before continuing, Click
Next.
- Specify the Oracle Middleware Home
and the Oracle Access Directory Home. The default home is Oracle_OAM, Click
Next.
- Review the Installation Summary
then Click Finish.
- Run the domain configure
from D:\OracleSSO\Oracle_IDM1\common\bin.
- The Fusion Middleware
Configuration Wizard screen appears, Select Create a new WebLogic domain option
then Click Next.
- Select the components to
configure. For OAM Server, you need Oracle Access Manager and Oracle
Enterprise Manager. Oracle JRF - 11.1.1.0 is selected by
default then Click Next.
- Enter a domain name and accept the
default locations, Click Next.
- Enter the Administrator User Name
and Password, Click Next.
- Select Production Mode and verify
the JDK version and location.
- Enter the JDBC Component Schema,
complete these fields, according to the schemas that have been created in
previous step.
The installer verifies all of the
component schema connections, Click Next.
- Select Administration Server and
Managed
Servers, Clusters and Machines options, Click Next.
- Enter the Administration Server
Name; for example, AdminServerOAM. Do not accept the default listen port (7001) if
you have Oracle Internet Directory Server already installed because it
might have used the default port.
Enter a unique listen port for this OAM server. For example, port 7009.
- Accept the default values on the
Configure Managed Servers page, Click Next.
- The Configure Clusters page
appears, Click Next.
- Select the Machine Type: On
Windows select the Machine tab. Select the Add tab, Enter a logical machine
name then Click Next.
- Assign the servers to this logical
machine, Click Next.
- Review the Configuration Summary.
Click Create, Click Done once the domain creation is completed
- DO NOT start the Admin server
before running the following 2 scripts:
D:\OracleSSO\Oracle_IDM1\common\bin\wlst.cmd
D:\OracleSSO\Oracle_IDM1\common\tools\configureSecurityStore.py -d
D:\OracleSSO\user_projects\domains\SSO -c IAM -p H75hsm49 -m create
D:\OracleSSO\Oracle_IDM1\common\bin\wlst.cmd
D:\OracleSSO\Oracle_IDM1\common\tools\configureSecurityStore.py -d
D:\OracleSSO\user_projects\domains\SSO -m validate
- Start the Admin Server: open a
command window, change the directory to D:\OracleSSO\user_projects\domains\SSO, Run
startWebLogic.cmd.
- Select the Servers and start the
oam_server1 managed server.
- Verify the OAM installation by
opening the OAM Admin Console:
http://jdedevweb:7009/oamconsole (The oamport is the same as the
WebLogic Console port).
Installing
Oracle WebTier Utilities
Oracle Web Tier contains the
following components:
- Oracle HTTP Server.
- Oracle Web Cache.
- Oracle Process Manager and Notification
Server (OPMN).
To install the Oracle WebTier
utilities, follow the steps below:
- Invoke the setup.exe from the
staging area
(C:\Users\admin_jde\Downloads\ofm_webtier_win_11.1.1.7.0_64_disk1_1of1\Disk1)
- Click Next on Welcome screen.
- If you don't want to receive the
security updates, then Uncheck "I wish to receive security updates via My
Oracle Support. " option, Click Next and press Yes button.
- Select "Install Software - Do
Not Configure", Click Next.
- Enter Middleware Home: D:\OracleSSO\Oracle_WT1
and enter Oracle Home Directory : Oracle_WT1 , Click Next.
- Keep default values until last
scren then Click Next.
- When Oracle WebTier is installed,
Run the Configuration Tool to configure your Oracle Web Tier products by
launching D:\OracleSSO\Oracle_WT1\bin\config.bat.
- Click Next on Welcome screen.
- Select "Oracle HTTP Server"
and "Associate Selected Components with WebLogic Domain", Click
Next.
- Specify the credentials for your
existing WebLogic Domain which hosts Fusion Middleware (EM) Control, Click
Next.
* hostname= jdewebdev
* port= 7009
* user= weblogic
* pwd= ***********
- Enter Oracle Home for the instance
to be created: D:\OracleSSO\Oracle_WT1\instances\ssoinstance, instance name: ssoinstance and OHS name: ohs1, Click Next.
- Select automatic port
configuration, Click Next.
- Click Finish.
Installing
Oracle WebGate
Oracle HTTP Server WebGate is a web
server plug-in that is shipped out-of-the-box with Oracle Access Manager. The
Oracle HTTP Server WebGate intercepts HTTP requests from users for web
resources and forwards them to the Access Server for authentication and
authorization. Oracle HTTP Server WebGate installation packages are found on
media and virtual media that is separate from the core components.
Use these steps to install Oracle
HTTP 11g WebGate:
- Invoke the setup.exe (setup.exe
-jreLoc D:\Java\jrockit-jdk1.6.0_24-R28.1.3-4.0.1.) from the staging
area
(C:\Users\admin_jde\Downloads\ofm_webtier_win_11.1.1.7.0_64_disk1_1of1\Disk1).
- Click Next on the Welcome page.
- The installer performs
prerequisite checks, Click Next.
- Specify the Middleware Home and
WebGate Home Directory.
- Review the installation Summary
then Click Finish.
- You must complete the following
steps after installing Oracle HTTP Server 11g WebGate for Oracle Access
Manager:
- Move to the following directory
under your Oracle Home for WebGate:
<webgate_home>\webgate\ohs\tools\deployWebGate
- Run the command: deployWebgateInstance.bat
-w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home> Where
<Webgate_Oracle_Home> is the directory where you have installed Oracle
HTTP Server WebGate and created as the Oracle Home for WebGate. The
<Webgate_Instance_Directory> is the location of WebGate Instance Home,
which is same as the Instance Home of Oracle HTTP Server.
In our example we need to run:
deployWebGateInstance.bat -w
D:\OracleSSO\Oracle_WT1\instances\ssoinstance\config\OHS\ohs1 -oh
D:\OracleSSO\Oracle_OAMWebGate1
- Move to the directory:
<webgate_home>\webgate\ohs/tools\editHttpConf
- On the command line, run the
following command to copy the apache_webgate.template from the Webgate_Home
directory to the Webgate Instance location (renamed to webgate.conf) and update
the httpd.conf file to add one line to include the name of webgate.conf:
EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh
<Webgate_Oracle_Home>] [-o <output_file>] (The [-oh
<Webgate_Oracle_Home>] and [-o <output_file>] parameters are
optional.)
In our example we need to run:
EditHttpConf.exe -w
D:\OracleSSO\Oracle_WT1\instances\ssoinstance\config\OHS\ohs1
Registering the WebGate Agent for JD Edwards EnterpriseOne HTML Server
- On Create OAM 11G Webgate, enter a
name for the WebGate in the Name field. In the Security options area, select
Open, and then click the Apply button. This creates entries for the new WebGate
under the Host Identifiers and Application Domains nodes, as shown in the
following screen.
- To create the resource URL, in the
Applications Domains node, click Resources under the new WebGate. In the Search
Results area, click the Create button (paper icon):
- Repeat the preceding steps to add
the following resource URL: /…/*.
- Double-click the Protected
Resource Policy. The Resources tab displays the newly added resources:
- Click the Responses tab and click
the Add button (plus symbol icon):
- Review all registered agents, and
then select the System Configuration tab.
- Open the Access Manager Settings
section, and then open the SSO Agents option.
- In the "Access Manager
Settings" section in the left pane, double-click OAM Agents and then click
the Search button. A list of registered agents appears. The registered agent
creates a cwallet.sso file and ObAccessClient.xml file.
- Copy these two files from
<MW_HOME>/user_projects/domain/SSO/output/<Agent_name> and paste
them to the following directory on the JD Edwards EnterpriseOne Server:
<MW_Home>
Oracle_WT1\instances\ssoinstance\config\OHS\ohs1\webgate\config
- Restart the JD Edwards
EnterpriseOne HTML Server.
- After you install and configure
the Oracle HTTP Server and Oracle HTTP WebGate, you need to configure the mod_wl_ohs.conf
file.
- Navigate to the mod_wl_ohs.conf
file located at: MW_Home>/Oracle_WT1/instances/ ssoinstance /config/OHS/ohs1
- Edit the mod_wl_ohs.conf file. Add
a Virtual Host section:
NameVirtualHost *:7777
<VirtualHost *:7777>
<Location /jde>
SetHandler weblogic-handler
WebLogicHost jdedevweb
WebLogicPort 8020
</Location>
</VirtualHost>
- Restart the HTTP server. Change
the directory to MW_Home>/Oracle_WT1/instances/ ssoinstance /bin.
* Run ./opmnctl stopall
* Run ./opmnctl startall
Setting Up JD Edwards EnterpriseOne for Single Sign-On/Off Integration with OAM
This section discusses how to set up
JD Edwards EnterpriseOne HTML Server for single sign-on integration with Oracle
Access Manager through EnterpriseOne Server Manager.
- Open EnterpriseOne Server Manager
from a browser.
- Select your EnterpriseOne HTML
Server instance.
- Select Network Settings from the
Configuration section:
Oracle Access Manager Sign-Off URL: http://jdedevweb:14100/oamsso/logout.html?end_url=http://jdedevweb:7777/jde/index.jsp
- Stop and restart the EnterpriseOne
HTML Server.
Windows
Native Authentification (KERBEROS) Configuration
Oracle Access Manager enables
Microsoft Internet Explorer users to automatically authenticate to their Web
applications using their desktop credentials. This is known as Windows Native
Authentication (WNA).
Cross-platform authentication is
achieved by emulating the negotiate behavior of native Windows-to-Windows
authentication services that use the Kerberos protocol. In order for
cross-platform
authentication to work, non-Windows
servers (in this case, Oracle Access Manager) must parse SPNEGO tokens in order
to extract Kerberos tokens which are then used for authentication.
With Oracle Access Manager single
sign-on combined with WNA, a Kerberos session ticket is generated that contains
her login credentials, among other things. This Kerberos session ticket is not
visible to the user.
However, with WNA implemented, the
user can click on her Web application without another challenge for
credentials. Instead, her Kerberos session ticket, which includes her
credentials, is passed
through the browser to the Oracle
Access Manager server. The server validates the credentials by checking them
against the Key Distribution Center server (KDC server) on the Windows domain
server. (Note: The KDC, which is a
trusted third party, uses logically separate servers to grant and process
tickets, including the service server to authenticate session tickets and
confirm the
client's identity.)
If authentication succeeds she is
granted access to her Web applications automatically.
For instance, the application must
be protected by an Oracle Access Manager application domain that uses the
Kerberos authentication scheme (KerbScheme) with WNA as the challenge method.
In this case, credentials must be
stored in a Windows Active Directory instance that is registered as a
user-identify store with Oracle Access Manager.
- Create krb5.ini file (in:
D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp) and copy it in C:\Windows:
[Libdefaults]
default_realm = DOMAIN.INT
ticket_lifetime = 600
clockskew = 600
dns_lookup_realm = false
dns_lookup_kdc = false
forwardable = yes
udp_preference_limit = 1
default_tkt_enctypes = RC4-HMAC
arcfour-hmac-md5 des-cbc-crc des-cbc-md5
default_tgs_enctypes = RC4-HMAC
arcfour-hmac-md5 des-cbc-crc des-cbc-md5
[realms]
DOMAIN.INT= {
kdc = server.domain.int
admin_server = server.domain.int
default_domain = DOMAIN.INT
}
[domain_realm]
.domain.int = DOMAIN.INT
domain.int
= DOMAIN.INT
- Create the Service Principal Name
(SPN): You perform this task to create an SPN and associate it with a user. The
following procedure includes an example user named testuser. The Oracle Access
Manager server is deployed on a machine named JDEDEVWEB.DOMAIN.INT1.
- Run ktpass to create the service
principal name and associate it with this user:
ktpass -princ HTTP/JDEDEVWEB.domain.int@domain.int
-mapuser JDE -pass ******** -crypto ALL -out C:\TEMP\keytab.service
- Copy the newly created
keytab.services file to the machine on which the NG server is running
(D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp)
- Obtain the Kerberos Ticket
You use the klist and kinit command
to obtains the master Kerberos ticket that you use to get tickets for other
services (from JDK_HOME/bin):
klist -k -t -K -e
FILE:D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service
kinit
-J-Dsun.security.krb5.debug=true -k –t
D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service
output:
D:\Java\jrockit-jdk1.6.0_24-R28.1.3-4.0.1\bin>java.exe
-Dsun.security.krb5.debug
=true
sun.security.krb5.internal.tools.Kinit -k -t D:\OracleSSO\Oracle_WT1\insta
nces\ssoinstance\tmp\keytab.service
HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
>>>KinitOptions cache name
is C:\Users\admin_jde\krb5cc_admin_jde
Principal is HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
>>> Kinit using keytab
>>> Kinit keytab file name:
D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service
>>> KeyTabInputStream,
readName(): domain.int
>>> KeyTabInputStream,
readName(): HTTP
>>> KeyTabInputStream,
readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry
length: 69; type: 1
>>> KeyTabInputStream,
readName(): domain.int
>>> KeyTabInputStream,
readName(): HTTP
>>> KeyTabInputStream, readName():
JDEDEVWEB.domain.int
>>> KeyTab: load() entry
length: 69; type: 3
>>> KeyTabInputStream,
readName(): domain.int
>>> KeyTabInputStream,
readName(): HTTP
>>> KeyTabInputStream,
readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry
length: 77; type: 23
>>> KeyTabInputStream,
readName(): domain.int
>>> KeyTabInputStream,
readName(): HTTP
>>> KeyTabInputStream,
readName(): JDEDEVWEB.domain.int
>>> KeyTab: load() entry
length: 93; type: 18
>>> KeyTabInputStream,
readName():domain.int
>>> KeyTabInputStream,
readName(): HTTP
>>> KeyTabInputStream,
readName(): JDEDEVWEB. domain.int
>>> KeyTab: load() entry
length: 77; type: 17
Added key: 17version: 5
Found unsupported keytype (18) for
HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
Added key: 23version: 5
Added key: 3version: 5
Added key: 1version: 5
Ordering keys wrt
default_tkt_enctypes list
Config name: C:\Windows\krb5.ini
default etypes for
default_tkt_enctypes: 23 23 1 3.
0: EncryptionKey: keyType=23 kvno=5
keyValue (hex dump)=
0000: 14 1A E0 A1 B5 48 37 8C AC BD EF DA 1A F4 C5 C8 .....H7.........
1: EncryptionKey: keyType=1 kvno=5
keyValue (hex dump)=
0000: A7 0E AE 1F 1A B0 9E A4
2: EncryptionKey: keyType=3 kvno=5
keyValue (hex dump)=
0000: A7 0E AE 1F 1A B0 9E A4
>>> Kinit realm name is DOMAIN.INT
>>> Creating KrbAsReq
>>> KrbKdcReq local
addresses for JDEDEVWEB are:
JDEDEVWEB/172.16.1.62
IPv4 address
JDEDEVWEB/fe80:0:0:0:a141:c1bc:6745:a7a5%23
IPv6 address
default etypes for
default_tkt_enctypes: 23 23 1 3.
>>> KrbAsReq calling
createMessage
>>> KrbAsReq in
createMessage
>>> Kinit: sending as_req
to realm DOMAIN.INT
>>> KrbKdcReq send:
kdc=dedale. domain.int TCP:88, timeout=30000, number of re
tries =3, #bytes=217
>>>DEBUG: TCPClient reading
290 bytes
>>> KrbKdcReq send: #bytes
read=290
>>> KrbKdcReq send: #bytes
read=290
>>> KdcAccessibility:
remove dedale. domain.int
>>> reading response from
kdc
>>> KDCRep: init() encoding
tag is 126 req type is 11
>>>KRBError:
sTime is Fri Jun 14 12:17:09 CEST 2013
1371205029000
suSec is 619898
error code is 25
error Message is Additional
pre-authentication required
realm is DOMAIN.INT
sname is krbtgt/ DOMAIN.INT
eData provided.
msgType is 30
>>>Pre-Authentication Data:
PA-DATA type = 11
PA-ETYPE-INFO etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 19
PA-ETYPE-INFO2 etype = 23
>>>Pre-Authentication Data:
PA-DATA type = 2
PA-ENC-TIMESTAMP
>>>Pre-Authentication Data:
PA-DATA type = 16
>>>Pre-Authentication Data:
PA-DATA type = 15
Kinit: PREAUTH FAILED/REQ, re-send
AS-REQ
>>>KrbAsReq salt is DOMAIN.INTHTTPJDEDEVWEB.
DOMAIN.INT
Pre-Authenticaton: find key for
etype = 23
AS-REQ: Add PA_ENC_TIMESTAMP now
>>> EType:
sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsReq calling
createMessage
>>> KrbAsReq in
createMessage
>>> Kinit: sending as_req
to realm DOMAIN.INT
>>> KrbKdcReq send:
kdc=server.domain.int TCP:88, timeout=30000, number of re
tries =3, #bytes=293
>>>DEBUG: TCPClient reading
1634 bytes
>>> KrbKdcReq send: #bytes
read=1634
>>> KrbKdcReq send: #bytes
read=1634
>>> KdcAccessibility:
remove server.domain.int
>>> reading response from
kdc
>>> EType: sun.security.krb5.internal.crypto.ArcFourHmacEType
>>> KrbAsRep cons in
KrbAsReq.getReply HTTP/JDEDEVWEB.DOMAIN.INT
New ticket is stored in cache file
C:\Users\admin_jde\krb5cc_admin_jde
Follow the steps below in the OAM
Administration console:
- Configure User Identity Store:
- Modify the Kerberos Module by
browsing to System Configuration --> Access Manager --> Authentication
Modules --> Kerberos Authentication Module --> Kerberos. Set required
parameters as per your environment configuration. :
* Fichier de
clés: D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\keytab.service
*
Principal : HTTP/JDEDEVWEB.DOMAIN.INT@DOMAIN.INT
* Fichier de
configuration KRB : D:\OracleSSO\Oracle_WT1\instances\ssoinstance\tmp\krb5.ini
- Configure
Authentification Policy for EntrepriseOne
- Enabling the Browser to Return
Kerberos Tokens
To enable Kerberos tokens in Internet
Explorer
1. On a Windows host in the Active
Directory domain, sign in as a domain user.
2. Open the Internet Explorer
browser.
3. From the Tools menu, click
Internet Options, click Security, click Local Intranet,
click Advanced.
4. On the Advanced tab, Security
section, check the box beside Enable Integrated
Windows Authentication, and click
OK.
5. Add Oracle Access Manager CC host
or domain name to Local Intranet zone: http://jdedevweb:7777 & http://
jdedevweb:14100).
6. Restart the Internet Explorer
browser so the change takes effect.
To enable Kerberos tokens in Mozilla
Firefox
1. Point the browser to
about:config.
2. Add Oracle Access Manager CC host
or domain name under
network.negotiate-auth.trusted-uris.
Use the format
network.negotiate-auth.trusted-uris=http://mynode.myhost:myport
For instance for jdedevweb, you have
to enter network.negotiate-auth.trusted-uris=http://gvajdepoc4:14100
You can now use URL: http://jdedevweb:7777/jde to login to your JD Edwards application, it will use your Windows PC
login to log you in straight into JDE (Your Windows PC account will need to be
created as a JDE user first…)
MM