Beruflich Dokumente
Kultur Dokumente
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
CA Inc. Solution Engineering Team 100 Staples Drive Framingham, MA 01702 Phone: (508) 628-8000 http://www.ca.com/ 2006 CA, Inc. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. Netegrity, Inc. is a wholly-owned subsidiary of CA, Inc. eTrust SiteMinder products and associated documentation are protected by copyright and are distributed under a licensing agreement. CA Inc. has prepared this document for use by CA personnel, licensees, and customers. The information contained herein is protected by copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronic, mechanical, photocopying, optical magnetic, or otherwise, without prior written permission from CA. CA reserves the right to, without notice, modify or revise all or part of this document and/or change product features or specifications. This document is provided AS IS without warranty of any kind, either express or implied, and is subject to change without notice by CA. CA assumes no responsibility for any errors or omissions contained herein or in any products, documents or material referenced herein. In no event shall CA be liable for any direct, indirect, incidental, punitive or consequential damages of any kind resulting from the contents of this document or any representations made herein. Questions, Queries & Comments should be emailed to bhanu.sareddy@ca.com This is not a support mailbox, so support issues should not be directed here.
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX Contents INTRODUCTION ....................................................................................................................................................................................4 PREREQUISITES ...................................................................................................................................................................................4 SITEMINDER AND ORACLE AS ARCHITECTURE .............................................................................................................................5
SiteMinder Two-Tier Single Sign-On Solution with the Oracle PL/SQL Authentication Package ............. 6 SiteMinder Two-Tier Single Sign-On Solution with the OC4J Security Authentication Interface .............. 7 Single Sign-On and Sign-Off Session Management ................................................................................. 8
SITEMINDER CONNECTOR IMPLEMENTATION WITH THE ORACLE PL/SQL AUTHENTICATION PACKAGE............................8
SiteMinder Oracle AS Connector without a Proxy Agent .......................................................................... 9 SiteMinder Oracle AS Connector with a Proxy Agent ............................................................................. 10
SITEMINDER CONNECTOR IMPLEMENTATION WITH THE OC4J SECURITY AUTHENTICATION INTERFACE........................11 PRE-INSTALLATION ...........................................................................................................................................................................12
Install and Configure Oracle AS .............................................................................................................. 12 Install and Configure the SiteMinder Web Agent for the Oracle HTTP Server ....................................... 12 Install and Configure the SiteMinder Policy Server ................................................................................. 12
SOFTWARE INSTALLATION FOR UNIX ............................................................................................................................................13
Install the Oracle AS Connector in the Oracle Database ........................................................................ 14 Install the PL/SQL Package, wwsso_auth_external in the Oracle Single Sign-on Database ................. 18
INSTALLATION OPTION 2: CONNECTOR WITH THE OC4J SECURITY AUTHENTICATION INTERFACE ..................................21
Configure the SiteMinder Policies for the Oracle AS Connector and Proxy Agent ................................. 23 Configure a SiteMinder Agent for the Oracle AS Connector and Proxy Agent ................................... 23 Configure a SiteMinder Agent Group for the Oracle AS Connector and Proxy Agent ........................ 23 Configure a SiteMinder Policy Domain for the Oracle AS Connector and Proxy Agent ...................... 25 Configure a SiteMinder Realm for the Oracle AS Connector and Proxy Agent .................................. 26 Configure a SiteMinder Rule for the Oracle AS Connector and Proxy Agent ..................................... 27 Configure another SiteMinder Realm for the Oracle AS Connector and Proxy Agent ........................ 28 Configure another SiteMinder Rule for the Oracle AS Connector and Proxy Agent ........................... 29 Configure a SiteMinder Response for the Oracle AS Connector and Proxy Agent ............................ 30 Configure a SiteMinder Policy for the Oracle AS Connector and Proxy Agent ................................... 32 Configure the Oracle AS Connector and Proxy Agent ............................................................................ 36 Configure the Oracle HTTP Server for the PL/SQL Authentication Package ......................................... 41
SITEMINDER ORACLE AS CONNECTOR PROXY AGENT STARTUP ............................................................................................43
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX POST INSTALLATION .........................................................................................................................................................................46 TROUBLESHOOTING .........................................................................................................................................................................47
SiteMinder Oracle AS Connector Logging .............................................................................................. 47 SiteMinder Oracle AS Proxy Agent Logging ........................................................................................... 48 SiteMinder Technical Support ................................................................................................................. 48
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
Introduction
The Oracle Application Server (Oracle AS) provides security and single sign-on (SSO) for Oracle business applications deployed over the Internet. Unfortunately, it does not easily extend this security and/or single sign-on to other enterprise applications. As a result, many ERP customers have turned to eTrust SiteMinder to provide access control and single sign-on across all their applications in the enterprise, including various ERP solutions. The SiteMinder Oracle Single Sign-On Connector enables SiteMinder to extend single sign-on to the Oracle Application Server and Portal. The purpose of this document is to provide information regarding the architecture, installation, and configuration of the SiteMinder Oracle Single Sign-On Connector.
Prerequisites
The platform support matrix lists all combinations of supported, Agents for Oracle Application Server, Web Agents, and Operating Systems. Go to http://support.ca.com to view the matrix.
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
SiteMinder Two-Tier Single Sign-On Solution with the Oracle PL/SQL Authentication Package The SiteMinder Oracle AS connector implements a two-tier single sign-on solution. The point of sign-on trust moves away from the Oracle Single Sign-On Server and to the SiteMinder policy server. If the Oracle Authenticate PL/SQL package is implemented and installed in the database, the Oracle Single Sign-On Server will delegate trusting the users session to the SiteMinder Oracle AS connector through the implementation of the method, authenticate_user in the PL/SQL Authentication package, wwsso_auth_external. The method, authenticate_user is implemented to invoke the SiteMinder Oracle AS connector to validate the SiteMinder session back at the policy server where it was generated. The SiteMinder web agent installed on the Oracle HTTP Server sets the SiteMinder session after successful login to SiteMinder. The SiteMinder session is set as an encrypted HTTP cookie and header variables. The Oracle Single Sign-On server will present the header variables that represent the SiteMinder session to the PL/SQL package, and the authenticate_user method will call the SiteMinder Oracle AS connector to validate the SiteMinder session. The connector communicates with the policy server to validate the session. If the session is valid the connector will compare the user id identified by the policy server for the session with the user id presented by the Oracle Single Sign-On Server at single sign-on time. If the user ids are the same, the single sign-on is allowed. If not, the single sign-on is denied. This two-tier single sign-on solution is shown in the diagram below.
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
SiteMinder Two-Tier Single Sign-On Solution with the OC4J Security Authentication Interface If the OC4J Security Authenticate Interface is implemented and installed, the Oracle Single Sign-On Server will delegate trusting the users session to the SiteMinder Oracle AS connector through the implementation of the method, authenticate in the OC4J Security Authentication Interface, IPASAuthInterface. The method, authenticate is implemented to invoke the SiteMinder Oracle AS connector to validate the SiteMinder session back at the policy server where it was generated. The SiteMinder web agent installed on the Oracle HTTP Server sets the SiteMinder session after successful login to SiteMinder. The SiteMinder session is set as an encrypted HTTP cookie and header variables. The Oracle Single Sign-On server will present the all request header variables to the OC4J Security Authentication interface, i.e. the authenticate method. This method is implemented to call the SiteMinder Oracle AS connector to validate the SiteMinder session. The connector communicates with the policy server to validate the session. If the session is valid the connector will compare the user id identified by the policy server for the session with the user id presented by the Oracle Single Sign-On Server at single sign-on time. If the user ids are the same, the single sign-on is allowed. If not, the single sign-on is denied. This two-tier single sign-on solution is shown in the diagram below.
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
Single Sign-On and Sign-Off Session Management Many Internet applications use independent session management schemes. The most common session management scheme is through the use of a cookie, but still the session information is independent and decrypted differently between vendors and Internet applications. For this reason, SiteMinders replay prevention and session management logic is sometimes bypassed. One of the main security problems when integrating applications that maintain their own sessions is the possibility SiteMinder and application sessions may not remain synchronized as the user logs in and out of each application. This is especially true when there is more then one ERP application in the environment. Each ERP application will manage its own session independent of the other applications session management. The SiteMinder Oracle AS connector includes another software component, the SiteMinder Session Linker. Its purpose is to manage and synchronize independent application sessions with the SiteMinder session. It links the SiteMinder session to all the other application sessions in the environment including the Oracle AS session. Thus when a user logs out of one application, the SiteMinder session is no longer valid and the other application sessions tied to the SiteMinder session are not valid either. The user is logged out of all the applications in the environment tied to the SiteMinder session. The SiteMinder Session Linker is a web server plug-in that monitors the SiteMinder session and Oracle AS session, as well as other ERP application sessions. When the application sessions diverge from the SiteMinder session, the user is challenged to login until a new session with an application is established. The eTrust SiteMinder Oracle AS connector in conjunction with the SiteMinder Session Linker provides single sign-on and sign-off to Oracle AS. The connector provides single sign-on while the Session Linker provides single sign-off. Refer to the document, Netegrity Professional Services Session Linker Administrator Guide, for more information about the SiteMinder Session Linker.
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
Each PL/SQL session spawns its own extproc process and to load the shared library and call the external routines in the library. Thus, each user login spawns its own separate process to load the library and validate the session. For this reason, it is recommended that the connector always use the Oracle AS connector proxy agent to communicate with the policy server whenever possible, instead of the connector directly communicating with the policy server to validate the session. When the Oracle AS connector proxy agent is not used, PL/SQL will load the connector for each user login. As a result, each connector acts as an agent that opens a connection to the policy server to make a single user session validation request as opposed to reusing the connections already established to the policy server to make multiple session validation requests of the policy server. Also the agent load balancing to policy servers is not used, since each login request opens its own agent connection to the policy server and makes a single session validation request.
SiteMinder Oracle AS Connector without a Proxy Agent The diagram below shows the SiteMinder Oracle AS Connector without the Oracle AS Proxy Agent.
Notice in the diagram that each Oracle client login will load the Oracle AS connector and it will exist through out the clients session. This is a result of how PL/SQL calls external routines in an external library. Thus, each connector opens a connection to the policy server to service a user session validation request. The connector will communicate with the policy server over a TCP socket. The connector and policy server may reside on different systems in the internal network, not in the DMZ. In this model, each connector only handles one session validation request. An agent connection is established with the policy server for each session validation request. This is not efficient and very expensive. Agent connections with the policy server are opened and closed for each login request. A great deal of time is spent establishing and closing connections with the policy server. In addition each connector cannot support load balancing between multiple policy servers, since each connector only processes one session validation request. For this reason, it is recommended to always use the Oracle AS connector with the Oracle AS connector proxy agent.
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
SiteMinder Oracle AS Connector with a Proxy Agent The diagram below shows the SiteMinder Oracle AS Connector with the Oracle AS Proxy Agent.
As shown in the diagram, each Oracle client login will still load the Oracle AS connector and it will exist throughout the clients session, but each connector opens a connection to the Oracle AS Proxy Agent to service user session validation requests. The connector and the proxy agent communicate via a named stream pipe on the same system. Thus the connector and proxy agent must reside on the same system. The proxy agent communicates with the policy server to service user session validation requests on behalf of the connector. The proxy agent opens connections to the policy server and communicates over TCP sockets. These connections remain open and are reused among the connectors. The proxy agent and policy server may reside on different systems in the internal network, not in the DMZ. In this model, the connectors still handle one session validation request, but the agent proxy will handle multiple session validation requests with the policy server on behalf of the connectors. This model does not open an agent connection with the policy server for each session validation request. The session validation requests use connections already established between the proxy agent and the policy server from a pool of connections. This model will support load balancing the user session validation requests between multiple policy servers. If the proxy agent is unavailable to handle session validation requests for the connector, the connector will fail over to communicating directly with the policy server for its user session validation request.
10
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
11
eTrust SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX
Pre-Installation
The Oracle AS and SiteMinder environments are installed and configured before the SiteMinder Oracle AS connector is installed and configured. This includes installing the SiteMinder Web Agent for the Oracle HTTP Server and the SiteMinder Policy Server, as well as configuring the SiteMinder policies for the Oracle AS environment. Install and Configure Oracle AS Install and configure Oracle AS in the environment, if it does not already exist. Install and Configure the SiteMinder Web Agent for the Oracle HTTP Server Install and configure the SiteMinder Apache Web Agent on the Oracle HTTP Server. To install and configure a SiteMinder Web Agent, refer to the following documents, the SiteMinder Web Agent Installation Guide and SiteMinder Web Agent Guide. Install and Configure the SiteMinder Policy Server