A Case Study - Setting Up Oracle Forms 11g with OAM (Oracle Access Manager)

Article by Falilou Waidi, Principal Support Engineer, Oracle Corporation, France

Oracle Forms Services applications can be executed in a Single Sign-on environment using Oracle Access Manager 11g (OAM) and Oracle Internet Directory (OID) to eliminate the need for additional or different logins to access many applications during the same user session.

Oracle Forms Services applications in Oracle FMW 11g Release 2 can be protected by one of the following authentication servers:

  • Oracle Access Manager (OAM) 11g
  • Oracle Single Sign-On Server (OSSO) 10g

Configuration with OAM 11g

ConfWithOAM

Definitions :

Authentication Server

Oracle Access Manager (OAM Server) - It is an Oracle FMW 11g authentication server that provides a full range of security functions that include Web single sign-on, authentication and authorization. When running Forms Services, it uses Oracle Internet Directory as the Identity Store.

Oracle Access Manager can use either mod_osso or webgate as the access client configured with Oracle HTTP Server.

Oracle Single Sign-On Server (OSSO Server) - It is an OracleAS 10g authentication server. It uses Oracle Internet Directory as the Identity Store. Oracle Single Sign-On Server uses mod_osso as the access client configured with Oracle HTTP Server.

Access Client

  • webgate - WebGate provides single sign-on support. It intercepts incoming HTTP requests and forwards them to the Access Server for authentication. Oracle Forms Services and Oracle Reports Services can use webgate as an access client with OAM server.
  • mod_osso - The HTTP module mod_osso simplifies the authentication process by serving as a partner application to the OAM server, rendering authentication transparent for applications. Oracle Forms Services and Oracle Reports Services can use mod_osso to register as partner applications with the OAM Server. mod_osso is also used as an access client with Oracle Single Sign-On server (OSSO).

Identity Store

Oracle Internet Directory (OID) is an LDAP server that is used as the Identity store by the authentication server and the Forms applications. An LDAP server is a special database that is optimized for read access.

Forms Servlet

The Oracle Forms Services component that accepts the initial user request to start a Forms application. The Forms servlet detects if an application requires authentication, directs the request to the authentication server and accesses the Oracle Internet Directory to obtain the database connection information


Proceeding with the Installation

Install the Database :

  • Install the version 11.2.0.1. or higher version.
  • Check the certification pages for databases : certified databases

Post Installation Tasks :

sqlplus "/as sysdba"
SQL> alter system set session_cached_cursors=100 scope=spfile;
System altered.
SQL> SQL> alter system set processes=500 scope=spfile;
System altered.
SQL> SQL> alter system set aq_tm_processes=1 scope=both;
System altered.
SQL> alter system set db_cache_size=150994944 scope=both
System altered.
SQL> alter system set java_pool_size=125829120 scope=both;
System altered.
SQL> alter system set shared_pool_size=183500800 scope=both;
System altered.
SQL> alter system set open_cursors=800 scope=both;
System altered.

Install RCU

Download Oracle Fusion Middleware Repository Creation Utility
V26017-01(379M)
unzip rcuHome.zip file to a directory,
Check the file <rcu> in the BIN directory

$ cd bin
$ ./rcu





 RCU : Some Screenshots to highlight the steps

 Install OID

 Install  wls 10.3.2 using (wls1032_linux32.bin)

 . ./wls1032_linux32.bin

 Upgrade wls 1035

java -jar wls1035_upgrade_generic.jar

Install OID 11.1.1.5

./runInstaller -invPtrLoc /oracle/oid/Middleware/oraInst.loc

  • Install it creating a new Domain
  • select all the products
  • Use SYS account
  • Select "create new Schema"






OID : Some Screenshots to highlight the steps

Install OAM

Install WLS

./wls1035_linux32.bin

 Install OAM
(Oracle Identity and Access Management (11.1.1.5.0) )

./runInstall -invPtrLoc /oracle/oam/Middleware/oraInst.loc

Please specify a valid JRE/JDK location :/oracle/oam/Middleware/jdk160_24/jre

Configure  OAM

cd /oracle/oam/Middleware/IDM2/common/bin
./config.sh









OAM : Some Screenshots to highlight the steps

Installing and Configuring Oracle Forms with OAM

Oracle Access Manager 11g is a Java Platform, Enterprise Edition (Java EE)-based enterprise-level security application that provides restricted access to confidential information and centralized authentication and authorization services. Oracle Access Manager 11g, a component of Oracle Fusion Middleware 11g, is a Single Sign-On solution for authentication and authorization.

Forms applications use a single sign-on solution only for obtaining database connection information from Oracle Internet Directory. Once the database information is obtained, interaction with the authentication server no longer occurs. Exiting a Forms application does not perform a single sign-on logout. Conversely, logging out of a single sign-on session does not terminate an active Forms session. The database session exists until the Forms Runtime (for example, frmweb.exe) on the server terminates, usually by explicitly exiting the form.

1. Enabling Single Sign-On for Forms Application During the installation

 If the user selects Application Identity Store and an authentication server during the installation of Oracle Forms and Reports 11gR2, then the Forms applications will be configured to be authenticated by Oracle AS Authentication Server.

2. Enabling Single Sign-On for Forms Application Post Installation

If the user does not select Application Identity store during the installation of Oracle Forms and Reports 11gR2, then the Forms application does not get authenticated by the authentication server. However, the user has the choice to enable single sign-on authentication for Forms application post installation.

2.1 Generating the osso.conf file for the Oracle Access Manager

Perform the following steps to generate the osso.conf file for the OAM Server using the OAM console :

  1. Log in to the OAM console.
  2. Navigate to the System Configuration tab. Select Agents and navigate to the OSSO Agents node. Click Create.
  3. Provide all the details such as the Base URL. Ensure that the Auto Create Policies check box is checked.
  4. Click Apply.
    The osso.conf file is generated for the OAM server. The location of the file is mentioned in the OAM console.
  5. Copy the generated osso.conf file to ORACLE_INSTANCE/config/OHS/<OHS_INSTANCE>.

2.1.1 Generating the osso.conf

2.1.2 Creating a New Store for DataSource 


2.1.3  Changing the Store from the default Store

2.1.4 Creating a new SSO user

2.2. Associating OID Host with a Forms Application



Running Forms with ssoMode=true

Edit the formsweb.cfg file and create a section with :

[frm_sso]
ssoMode=true
ssoDynamicResourceCreate=true

Run forms using :

http://servername:port/forms/frmservlet?config=frm_sso

In case you have already created an sso user (with odsm), enter the credentials. Default RAD page is opened.

Running forms with ssoMode=webgate

Install the web tiers in standalone (without the domain) :

http://www.oracle.com/technetwork/java/webtier/downloads/index2-303202.html

http://docs.oracle.com/cd/E28280_01/install.1111/e14317/qinwt.htm

Install and configure webgate :

http://docs.oracle.com/cd/E21764_01/install.1111/e12002/webgate.htm#INOIM75755

"20 Installing and Configuring Oracle HTTP Server 11g Webgate for OAM"
Do not forget the "20.4 Post-Installation Steps"

Create a webgate agent :

You can create a webgate 11g agent by using either RREG tool or through OAM console
- Using oamconsole

  1. Create a webgate 11g agent through OAM console.
    While creating the webgate agent, you must add the following URL to the Protected Resource List: /forms/frmservlet?*oamMode=true*
    Add "/" and "/.../" to the Public Resource List.
  2. Copy ObAccessClient.xml and cwallet.sso to the webgate instance directory of the relevant OHS as shown in the following example:

    cp <OAM_DOMAIN_HOME>/output/<Agent_Name>/*.xml <WEBGATE_INSTANCE>/webgate/config




  1.  Log in to the OAM Administration Console.
  2. Select Authentication Schemes and navigate to LDAPScheme.
  3. Set the ssoCookie parameter value to disablehttponly.
  4. Click Apply.

After copying ObAccessClient.xml and cwallet.sso to the webgate instance directory, do not forget to restart OHS !

In case Web tiers and Webgate have been installed on a separate HOST, follow the steps :

http://docs.oracle.com/cd/E23943_01/web.1111/e10240/basics.htm#i1021453
“3.2.3.2 Configuring OHS on a Separate Host”
(Copy the Forms OHS directives file, forms.conf.backup from the tier hosting Forms to the tier hosting OHS and rename it to forms.conf)

Edit the formsweb.cfg file and create a section with :

[frm_wgate]
ssoMode=webgate
ssoDynamicResourceCreate=true

Run forms using :

http://webgate_host:webtier_port/forms/frmservlet?config=frm_wgate

In case you have already created an sso user (with odsm), enter the credentials. Default RAD page is opened.

References :

http://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm
“9.7.1 Configuring Forms J2EE application with Oracle Internet Directory”

http://docs.oracle.com/cd/E24269_01/doc.11120/e24477/sso.htm
"9.7.4 Installing and Configuring Webgate with OAM"


Comments:

Post a Comment:
  • HTML Syntax: NOT allowed
About


This is the official blog of the Proactive Support Team for Developer Tools: Oracle Forms, Oracle Reports, Apex, SQLDeveloper, ... . Find information about our activities, publications, product related information and more.

 

Follow @psdDevTools on Twitter

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
2
3
4
5
6
7
8
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today