Monday Dec 03, 2012

OAM11gR2: Enabling SSL in the Data Store

Enabling SSL in the Data Store of OAM11gR2 comprises of the below mentioned steps.

  • Import the certificate/s required for establishing the trust with the Store(backend) in the keystore(cacerts) on the machine hosting OAM's Weblogic Admin server
  • Restart the Weblogic Admin server
  • Specify the <Hostname>:<SSL port> in the "Location" field of the Data Store and select the "Enable SSL" checkbox

Pre-requisite:-

  • Certificate/s to be imported are available for import
  • Data Store has already been created using OAM admin console and the connection to the store is successful on non-SSL port( though one can always create a Data Store with SSL settings on the first go)

Steps for importing the certificate/s:-

One can use the keytool utility that comes bundled with JDK to import the certificate. The step for importing the certificate would be same for self-signed and third party certificates (like VeriSign)

$JAVA_HOME/bin/keytool -import -v -noprompt -trustcacerts -alias <aliasname> -file <Path to the certificate file> -keystore $JAVA_HOME/jre/lib/security/cacerts

Here $JAVA_HOME refers to the path of JDK install directory

Note: In case multiple certificates are required for establishing the trust, import all those certificates using the same keytool command mentioned above 

One can verify the import of the certificate/s by using the below mentioned command

$JAVA_HOME/bin/keytool -list -alias <aliasname>-v -keystore $JAVA_HOME/jre/lib/security/cacerts

When the trust gets established for the SSL communication, specifying the SSL specific settings in the Data Store (via OAM admin console) wouldn't result into the previously seen error (when Certificates are yet to be imported) and the "Test Connection" would be successful.

E-Business Integration with SSO using AccessGate

Moving away from the legacy Oracle SSO, Oracle E-Business Suite (EBS) came up with EBS AccessGate as the way forward to provide Single Sign On with Oracle Access Manager (OAM). As opposed to AccessGate in OAM terminology, EBS AccessGate has no specific connection with OAM with respect to configuration. Instead, EBS AccessGate uses the header variables sent from the SSO system to create the native user-session, like any other SSO enabled web application.

E-Business Suite Integration with Oracle Access Manager

It is a known fact that E-Business suite requires Oracle Internet Directory (OID) as the user repository to enable Single Sign On. This is due to the fact that E-Business Suite needs to be registered with OID to for Single Sign On. Additionally, E-Business Suite uses “orclguid” in OID to map the Single Sign On user with the corresponding local user profile. During authentication, EBS AccessGate expects SSO system to return orclguid and EBS username (stored as a user-attribute in SSO user store) in two header variables USER_ORCLGUID and USER_NAME respectively.


Following diagram depicts the authentication flow once SSO system returns EBS Username and orclguid after successful authentication:

EBS AccessGate and OAM


About

OIM11gR2 Blog by NA-TAG Offshore IDAM team

Search

Categories
Archives
« December 2012 »
SunMonTueWedThuFriSat
      
2
4
6
7
8
10
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
     
Today