Switching to External Authentication

12 Switching to External Authentication

For maximum security in production environments, Oracle recommends integrating Oracle WebCenter Sites with Oracle Access Management, for an advanced identity management solution and a seamless single sign-on user experience. You also have the option of integrating WebCenter Sites with an external LDAP authentication provider directory.

The following topics describe how to configure WebCenter Sites for authentication against either external identity management solution:

Switching to Authentication Against an LDAP Directory

This topic describes how to switch WebCenter Sites to authentication against an external LDAP authentication provider directory. This is a recommended solution for production environments if integration with Oracle Access Management is not viable.

Before you change your authentication provider, install and configure WebCenter Sites.

To switch WebCenter Sites to authentication against an external LDAP directory:

(Optional) Modify ldap.caseAware property value to true, if the LDAP server you are using is case sensitive.
By default the value of ldap.caseAware is set to false. Sign in will fail if you are using a case-sensitive LDAP server and this property is set to false. To modify the ldap.caseAware value to True follow the steps:
- Sign in to the WebCenter Sites Admin interface and navigate to Admin tree tab>System Tools>Property Management option.
- Search for ldap and change the value from False to True.
- Restart the Managed server.
Note:
During the integration of Sites with LDAP, if the users data in LDAP is separated by a comma the data does not get fetched. for example: test,user. To retrieve the data, you need to change the syntax in the dir.ini file located at ..sites/install directory from "syntax.escape=\\ to syntax.escape=\#".
Access the LDAP Configurator at http://sites-host:sites-port/sites-context/ldapconfig, follow the instructions on the screen, and enter the values for your environment.
For LDAP rollback, restart the WebCenter Sites Managed Server, and go to the same LDAP Configurator URL.

Now there is only manual LDAP integration. Nothing is written to your LDAP Server, only an LDIF file is created under the DOMAIN_HOME/wcsites/wcsites/config/ldap folder (This is the default install location of WebCenter Sites application. All customizations and path modifications should be made after successful LDAP integration). The peopleparent, groupparent, username, and other fields are not prepopulated, as in the previous release.

(Optional) Modify the LDIF file located in NEW_DOMAIN_HOME/wcsites/wcsites/config/ with values appropriate for your environment.

Because the fields are not prepopulated, follow this example for ORACLEDIR :

ldap server type -- ORACLEDIR
ldap DSN -- dc=oracle,dc=com
ldap host -- localhost
ldap port -- 389
ldap username -- cn=orcladmin
ldap password -- password
ldap peopleParent -- cn=Users,dc=oracle,dc=com
ldap groupparent -- cn=Groups,dc=oracle,dc=com

If you choose Oracle Virtual Directory as your LDAP authentication provider, WebCenter Sites generates an LDIF file, which you can import to your Oracle Internet Directory server and then create an adaptar in Oracle Virtual Directory to connect to the Oracle Internet Directory server.

You cannot import an LDIF file directly to an Oracle Virtual Directory LDAP server because it does not have a storage of its own.
Import the LDIF file into the external LDAP authentication provider.
Restart the WebLogic Managed Server running this WebCenter Sites instance.

Switching to Authentication Against Oracle Access Manager

You can configureWebCenter Sites for authentication against Oracle Access Manager. This solution is recommended for production environments.

It is assumed that customer already has OAM Server running. This OAM integration would require configuration in the OAM Server using oamconsole and some configuration changes in the Sites.

WebCenter Sites integration is supported for Oracle Access Manager 14c (14.1.2.0.0),

To switchWebCenter Sites to authentication against Oracle Access Manager:

Sign in to Oracle Access Manager Server through oamconsole, for example: http://<oam_host:oam_port>/<oam console>/ and configure a WebGate.
Deploy the oamlogin.war and oamtoken.war application files located under NEW_ORACLE_HOME/wcsites/webcentersites/sites-home on the WebLogic domain containing the targetWebCenter Sites instance.
Create the wemsites_settings.properties property file under DOMAIN_HOME/wcsites/wcsites/config/.

Enter the values in the wemsites_settings.properties file as follows:

Elements	Properties
`oamredirect`	`http://oam_server_host:oam_port/oam/server/auth_cred_submit`
`oamlogout`	`oamlogout=http://oam_server_host:oam_port/oam/server/logout`
`forgotpassword`	`helpdesk-email-address`

Set the following properties in NEW_DOMAIN_HOME/wcsites/wcsites/config/SSOConfig.xml. See Step 12 of Integration Steps.

Elements	Properties
`serviceUrl`	`http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST`
`ticketUrl`	`http://{oamtoken_server_host}:{oamtoken_port}/oamtoken`
`signoutURL`	`http://{oam_server_host}:{oam_port}/oam/server/logout?end_url={end_url}` Use this URL when invokingWebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by Oracle Access Manager.
`end_url`	For test (staging) and production (delivery) environments: `http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome`
`dbUsername`	Name of theWebCenter Sites general Administrator user account.
`dbPassword`	Password for the WebCenter Sites general Administrator user account.

Note:

The ohs_server host and ohs_port can be WebLogic host and port or any other HTTP server host and port depending on your configuration. For more information on OHS configuration, see Step 2 to Step 9 of Integration Steps. Add the below example for configuration in OAM OHS, mod_wl_ohs.conf file.

<IfModule weblogic_module>
    <Location /oamlogin>
     SetHandler weblogic-handler
       WebLogicHost SITES_HOST       
WebLogicPort SITES_PORT   
</Location> 
</IfModule>
  <IfModule weblogic_module>
 <Location /sites>
       SetHandler weblogic-handler
       WebLogicHost SITES_HOST
       WebLogicPort SITES_PORT
 </Location>
 </IfModule>

Copy the obAccsessClient.xml and cwallet.sso files from your Oracle Access Manager instance into the NEW_DOMAIN_HOME/wcsites/wcsites/config/oblix/lib/ directory on the targetWebCenter Sites instance.

Note:
These files are auto-generated after the WebGate is configured.
Edit the oamtoken.xml file in the sites-config directory by setting the compatibility mode and oblix path. The compatibility mode should be set to 11g and the oblix path to the sites-config folder under which you have the oblix/lib folder.
In the Oracle Access Manager configuration for WebCenter Sites, update the protected, public, and excluded resources as follows:

Figure 12-1 List of Protected, Public, and Excluded Resources for WebCenter Sites

Description of "Figure 12-1 List of Protected, Public, and Excluded Resources for WebCenter Sites"

See Updating the Protected, Public, and Excluded Resources for an Enterprise Deployment.
To integrate the OAMSDK Client with WebLogic Server as the oamtoken.war application, edit the jps-config.xml file for the WebCenter Sites domain. By default, the WebLogic domain runs with this file, which is part of the WebLogic Server startup script:

-Doracle.security.jps.config=NEW_ORACLE_HOME/user_projects/domains/DOMAIN_NAME/config/fmwconfig/jps-config.xml
1. Add a service instance, as the following example shows, next to existing service instances in the existing jsp-config.xml file:
  <serviceInstance name="credstore.oamtoken" provider="credstoressp" location="./oamtoken">
  
  <description>File Based Credential Store Service Instance</description>
  
  <property name="location" value="./oamtoken"/>
  
  </serviceInstance>
  
  location is the path to the directory that contains the cwallet.sso file. The preceding example sets this path with reference to the current jsp-config.xml file. Make sure the omtoken folder is created with respect to the current directory and the cwallet.sso file is placed there. The location value can also be an absolute path to where the cwallet.sso file is placed
2. Add <serviceInstanceRef ref="credstore.oamtoken"/> under <jpsContext name="default">.
3. Add following <jpsContext> element under <jpsContexts default="default">:
  <jpsContext name="OAMASDK">
  
  <serviceInstanceRef ref="credstore.oamtoken"/>
  
  </jpsContext>
Add permissions so that code in oamtoken.war can be used.
The WebGate instance created in Oracle Access Manager is accessed by the client. You need to add the credential to the WebCenter Sites domain so that the security restriction can be taken care of.
1. Launch the WebLogic Scripting Tool with the wlst.sh script:
  cd NEW_ORACLE_HOME/oracle_common/common/bin/./wlst.sh
2. Connect to the Administration Server for the WebCenter Sites domain:
  connect('user-name','password','sites-host:admin-port')
3. Grant the permissions:
  grantPermission(codeBaseURL="file:/scratch/idc/newoam/rend/Oracle_Home/user_projects/domains/renddomain/servers/wcsites_server1/tmp/_WL_user/oamtoken/-", permClass="oracle.security.jps.service.credstore.CredentialAccessPermission",permTarget="context=SYSTEM,mapName=OAMAgent,keyName=*",permActions="*")
  
  The preceding path is basically the path where WebLogic Server has deployed the oamtoken.war application.
4. Restart the target WebCenter Sites Managed Server.
(Optional) If trust betweenWebCenter Sites and Oracle Access Manager has not been established, modify the configuration of theWebCenter Sites web tier as follows:
1. Sign in to the Oracle Access Manager Console.
2. In the WebGate authorization policy (under the protected resource policy), go to the Responses tab.
3. Enable (select) the Identity Assertion check box.
4. Click Apply to save your changes.

(Optional) If WebCenter Sites is deployed on a cluster is using OAM Integration. Following steps are required to be replicated on oamticketcache cache.

In the config directory, we have cas-cache.xml where oamticketcache is configured by default.

Uncomment the commented section in the cache named oamticketcache the section appear as:

<cacheEventListenerFactory
class="net.sf.ehcache.distribution.RMICacheReplicatorFactory"  
properties="replicateAsynchronously=true, replicatePuts=true,
replicateUpdates=true,
	replicateUpdatesViaCopy=false, replicateRemovals=true"/>
<bootstrapCacheLoaderFactory 
class="net.sf.ehcache.distribution.RMIBootstrapCacheLoaderFactory"
		properties="bootstrapAsynchronously=false,
			maximumChunkSizeBytes=5000000"
		propertySeparator="," />

Change the cacheManagerPeerProviderFactory as follows, make sure port is unique.

<cacheManagerPeerProviderFactory
class="net.sf.ehcache.distribution.RMICacheManagerPeerProviderFactory"
	properties="peerDiscovery=automatic,
multicastGroupAddress=230.0.0.8,
		multicastGroupPort=40002, timeToLive=1" />

The port should be different for cacheManagerPeerProviderFactory and cacheManagerPeerListenerFactory as specified in the earlier steps.
All the cluster nodes should have same port for both the properties.

For working on the SSOConfig.xml file, follow the steps:

Modify the SSOConfig.xml file of theWebCenter Sites deployment. This file controls the loaded authentication classes and the properties that are required by those classes.
Shutdown the Sites server.
Backup the SSOConfig.xml file located in the WEB-INF/classes directory of the deployed WebCenter Sites application.
For example: /u01/software/Apps/OraMiddleware/user_projects/domains/OAMSitesDomain/wcsites/wcsites/config/SSOConfig.xml.
Modify SSOConfig.xml as follows:

Note:
Further steps explains on setting properties for the following: serviceUrl, ticketUrl, signoutURL, dbUsername, and dbPassword. See Step 5.
The signoutUrl property specifies the URL to be used when invoking WebCenter Sites logout. It includes the encoded URL where the browser will return after all logout processing has been completed by OAM.
For Sites management, use the following value for end_url: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome

For Sites delivery, use the following value for end_url: http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome

For the dbUsername and dbPassword properties, you can enter the credentials of the WebCenter Sites general administrator, which by default is fwadmin/xceladmin. The values for these properties will be encrypted on startup of the WebCenter Sites application.

Note:

In the code example below, you will set the following properties: csServerUrl, serviceUrl, ticketUrl, signoutURL, dbUsername, dbPassword. See Step 5.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
    xmlns:context="http://www.springframework.org/schema/context"
    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.5.xsd
        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-2.5.xsd">

	<!-- Single Sign On provider -->
   <bean id="ssoprovider" class="com.fatwire.wem.sso.oam.OAMProvider">
   <property name="config" ref="ssoconfig" />
  </bean>

<!-- OAM IdentityResolver bean -->
  <bean id="oamIdentity" class="com.fatwire.auth.identity.RemoteUsernameResolver id="oamIdentity">
    <property="csServerUrl" value="http://<sites_server_host>:<sites_port>/<sites_context_root>/custom/customCsResolver.jsp
  </bean>

<!-- Single Sign On filter -->
  <bean id="ssofilter" class="com.fatwire.wem.sso.oam.filter.OAMFilter">
    <property name="config" ref="ssoconfig" />
    <property name="provider" ref="ssoprovider" />
    <property name="identityResolver" ref="oamIdentity" />
    <property name="trustConfigured" value="false" />
  </bean>

  <!-- Single Sign On listener -->
  <bean id="ssolistener" class="com.fatwire.wem.sso.oam.listener.OAMListener">
  </bean>

  <!-- Single Sign On configuration -->
  <bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
    <!-- URL prefix for REST service endpoint -->
    <property name="serviceUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST" />
    <!-- URL prefix for Token Service servlet -->
    <property name="ticketUrl" value="http://{oamtoken_server_host}:{oamtoken_port}/oamtoken" />
    <!-- URL to be called when WEM logout is required. -->
    <property name="signoutUrl" value="http://{oam_server_host}:{oam_port}/oam/server/logout?end_url=http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome" />
    <!-- Proxy tickets, tt's the last server in the call chain -->
    <property name="proxyTickets" value="true" />
    <!-- Your application protected resources (relative to applicationUrl) -->
    <property name="protectedMappingIncludes">
      <list>
      </list>
    </property>
    <property name="protectedMappingStatelessIncludes">
      <list>
                <value>/REST/**</value>
      </list>
    </property>
    <!-- Your application protected resources excludes (relative to applicationUrl) -->
    <property name="protectedMappingExcludes">
      <list>
      </list>
    </property>
  </bean>

</beans>

After you authenticate OAM, you need to perform the following integrations:

Integrating SiteCapture with OAM

This topics covers steps to integrate SiteCapture with OAM.

Oracle Access Manager integration for SiteCapture you need to follow the steps:

Integrate Oracle WebCenter Sites with Oracle Access Manager. For more information see, Integrating OAM with Oracle WebCenter Sites.

Additional configuration required for Oracle Access Manager for SiteCapture.

Create additional resource definitions (see table below) for the WebCenter Sites application domain.

Resource URL	Protection level	Authentication	Authorization
`/<sites-context>/REST/roles`	Unprotected	Public	All Allowed
`/<sites-context>/custom/customCsResolver.jsp`	Unprotected	Public	All Allowed
`/resources/.../*`	Excluded	NA	NA
`/__admin/.../*`	Protected	Protected	Protected

Configure the Protected Resource Policy as follows:

Click Application Domains and click the Open icon.
Click Search and select WCSitesWebGate.
Click the Authentication Policies tab and select Authentication Policies . For Authentication Scheme, select LDAPWemScheme, the authentication scheme previously created.
Click Responses tab.
Select the Identity Assertion checkbox.
When an Authentication policy is satisfied, it can create responses. The responses are required by the WebCenter Sites HTTP filter to recognize LDAP attributes and provide information about the authenticated user. In the following steps, you will create these responses.
Click the Add (+) icon. and enter the following:

For Name: Enter FATGATE_CSTIMEOUT
For Type: Select Header
For Value: Enter 30

SiteCapture Application Installation. During installation process of SiteCapture use parameters that are mentioned below:

Property Description	Property	Value
Content server host name or IP	fw.cs.hostname	{ohs_host}
Content server app server port	fw.cs.port	{ohs_port}
Content server context	fw.cs.context	{sites_context_root}
Content server protocol (http or https)	fw.cs.protocol	{sites.protocol}
Content Server user name having RESTADMIN role	fw.cs.username	{username}
Content server user password	fw.cs.password	{password}
SiteCapture server hostname or IP	fw.sc.hostname	{sc_host}
SiteCapture app server port	fw.sc.port	{sc_port}
SiteCapture protocol (http or https)	fw.sc.protocol	{sc.protocol}
CAS server hostname	fw.cas.host	{ohs_host} in installer. Or Empty in sitecapture.properties
CAS server port	fw.cas.port	{ohs_port} in installer. Or Empty in sitecapture.properties
CAS server context	fw.cas.context	cas in installer. Or Empty in sitecapture.properties

Adjust the root-context.xml file in SiteCapture Application. SiteCapture shipped with two files:

root-context.xml
Backup root-context.xml file and rename to root-context.xml.bak file.

oam_root-context.xml

Rename oam_root-context.xml file to root-context.xml file.

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:jdbc="http://www.springframework.org/schema/jdbc"
	xmlns:p="http://www.springframework.org/schema/p" xmlns:context="http://www.springframework.org/schema/context"
	xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
	http://www.springframework.org/schema/jdbc http://www.springframework.org/schema/jdbc/spring-jdbc-3.1.xsd
	http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.1.xsd">

	<bean id="propertyConfigurer" class="org.springframework.beans.factory.config.PropertyPlaceholderConfigurer" />
	<!-- Root Context: defines shared resources visible to all other web components -->
	
	<jdbc:initialize-database data-source="dataSource"	enabled="true" ignore-failures="ALL">		
		<!-- For installer the first jdbc:script will opened. Installer will configure it automatically -->
		<jdbc:script location="classpath:crawler_oracle_db.sql" />
		<!--jdbc:script location="classpath:crawler_hsql_db.sql" /-->
		<!--jdbc:script location="classpath:crawler_sql_server_db.sql" /-->
		<!--jdbc:script location="classpath:crawler_oracle_db.sql" /-->
		<!--jdbc:script location="classpath:crawler_db2_db.sql" /-->
	</jdbc:initialize-database>
	
	<!-- Section# 1 Installer will consume below configuration to configure a datasource name created on the appservers -->
	<bean id="dataSource" class="org.springframework.jndi.JndiObjectFactoryBean">
		<property name="jndiName" value="wcsitesDS"/>
	</bean>
	
	<!-- Single Sign On provider -->
	<bean id="ssoprovider" class="com.fatwire.wem.sso.oam.OAMProvider">
		<property name="config" ref="ssoconfig" />
	</bean>
	<!--It is invoked by the OAM filter to resolve an OAM authenticated user against a remote Site CS instance.--> 
	<bean id="oamIdentity" class="com.fatwire.auth.identity.RemoteUsernameResolver" >
		<property name="csServerUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/custom/customCsResolver.jsp"/>
	</bean>
  
	<!-- Single Sign On filter -->
	<bean id="ssofilter" class="com.fatwire.wem.sso.oam.filter.OAMFilter">
		<property name="config" ref="ssoconfig" />
		<property name="provider" ref="ssoprovider" />
		<property name="identityResolver" ref="oamIdentity" />
		
		<!-- Set "trustConfigured" to "true" in case of trust relationship configured between WebGate and WLS.
		It will turn off check for OAM_ASSERTION header. -->
		<property name="trustConfigured" value="false" />
	</bean>
  

	<!-- Single Sign On listener -->
	<bean id="ssolistener" class="com.fatwire.wem.sso.oam.listener.OAMListener">
	</bean>
	
	<!-- Single Sign On configuration -->
	<bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
		<!-- URL prefix for REST service endpoint -->
		<property name="serviceUrl" value="http://{ohs_server_host}:{ohs_port}/{sites_context_root}/REST" />
		
		<!-- URL prefix for Token Service servlet -->
		<property name="ticketUrl" value="http://{oamtoken_server_host}:{oamtoken_port}/oamtoken" />
		
		<!-- URL to be called when WEM logout is required. -->
		<property name="signoutUrl" value="http://{oam_server_host}:{oam_port}/oam/server/logout?end_url=http%3A%2F%2F{ohs_server_host}%3A{ohs_port}%2F{sites_context_root}%2Fwem%2Ffatwire%2Fwem%2FWelcome"/>
		
		<!-- Do not proxy tickets, tt's the last server in thecall chain -->
		<property name="proxyTickets" value="false" />
		
		<!-- Database Credentials needed by user lookup inOAMFilter -->
		<property name="dbUsername" value="fwadmin" />
		<property name="dbPassword" value="xceladmin"/>
		
		<!-- Your application protected resources (relative to applicationUrl) -->
		<property name="protectedMappingIncludes">
			<list>
				<value>/__admin</value>
				<value>/__admin/**</value>
			</list>
		</property>
		
		<!-- Your application protected resources excludes (relative to applicationUrl) -->
		<property name="protectedMappingExcludes">
			<list>
				<value>/__admin/layout</value>
			</list>
		</property>
		<property name="applicationProxyCallbackPath" value="/sso/proxycallback" />
		<property name="gateway" value="false" />
	</bean>
	
	<context:component-scan base-package="com.fatwire.crawler.remote.dao" />
	<context:component-scan base-package="com.fatwire.crawler.remote.support" />
	<context:component-scan base-package="com.fatwire.crawler.remote.di" />
	<context:component-scan base-package="com.fatwire.crawler.remote.resources.support" />

</beans>

Note:

To update mod_wl_ohs.conf file the following code has to be included:

<IfModule weblogic_module>
<Location /__admin>
		SetHandler weblogic-handler
		WebLogicHost SITECAPTURE_HOST
	WebLogicPort SITECAPTURE_HOST 
</Location>
</IfModule>

Integrating OAM with Oracle WebCenter Sites: Satellite Server

This topics covers steps to integrate OAM with Oracle WebCenter Sites: Satellite Server.

Configuring a Satellite Server for Oracle Access Manager integration is a simpler procedure than for WebCenter Sites. For more information on Integrating OAM with WebCenter Sites using Satellite Server, see Integrating OAM with Oracle WebCenter Sites: Satellite Server

Note:

The code example below gives the RSS configuration in OAM OHS, and mod_wl_ohs.conf file.

<IfModule weblogic_module>
 <Location /ss>
       SetHandler weblogic-handler
       WebLogicHost SATELLITESERVER_HOST
     WebLogicPort SATELLITESERVER_HOST
 </Location>
 </IfModule>

Integrating OAM with Visitor Services

This topic covers steps to integrate OAM with Visitor Services.

Before performing steps described in this section, ensure that you have configured the OAMIdentityProvider provided with Visitor Services. The OAM identity provider enables Visitor Services to communicate with OAM. For more information on Integrating OAM with Visitor Services, see Oracle Fusion Middleware Developing with Oracle WebCenter Sites.

Note:

The code example below gives the Visitor configuration in OAM OHS, and mod_wl_ohs.conf file.

<IfModule weblogic_module>
    <Location /oamlogin>
      SetHandler weblogic-handler
       WebLogicHost SITES_HOST
       WebLogicPort SITES_PORT
   </Location>
 </IfModule>
 <IfModule weblogic_module>
 <Location /visitors-webapp>
   SetHandler weblogic-handler       
	WebLogicHost VISITORSERVICES_HOST    
	WebLogicPort VISITORSERVICES_HOST
 </Location>
 </IfModule>

Switching to Authentication OAM Using Detached Credential Collector

This topic will show the steps to configure the two webgates and two OHS. You can configure Site Capture, Satellite Server, and Visitor Services to OAM in the similar using the steps in this topic.

In the earlier topics, you can see that the credentials are collected directly by OAM server, which is exposed OAM Server’s host and post, causing a security threat but with the introduction of DCC (Detached Credential Collector) webgate credentials you can now collect it at the webgate, which is transferred to OAM by webgate for further processing. DCC will not expose OAM server host and port, which mitigates the security threat. DCC can be configured using a single webgate and single OHS or two webgates (For exmaple, DCC webgate and Resource webgate) and two Oracle HTTP Servers (each OHS server will host the respective webgate files).

Prerequisites

This chapter lists the prerequisites required for configuring the Detached Credential Collector.

The following are the prerequisites for configuring DCC:

WebCenter Sites 14.1.2.0.0 is installed with CAS and is in working condition.
OAM 11.1.2.3.0 is installed and OAM domain is configured along with two OHS configured for webgate. The list below are required softwares for this installation:
- OAM 11.1.2.3.0. For example : ofm_iam_generic_11.1.2.3.0_disk*.zip.
- RCU 11.1.1.9.0. For example : ofm_rcu_linux_11.1.1.9.0_64_disk*.zip.
- Latest version of SOA suite.
- WebTier 11.1.1.9.0. For example : ofm_webtier_linux_11.1.1.9.0_64_disk*.zip
- WebGate 11.1.2.3.0. For example : ofm_webgates_generic_11.1.2.3.0_disk*.zip

DCC WebGate Configuration

This topic describes hot to configure DCC Webgate.

To configure DCC Webgate, follow the steps:

Login to oamconsole. The Launch Pad of Application Security opens.
Click Agents >Create Webgate. The Create Webgate form opens.
In the Create Webgate form, enter the following values as given below:
1. Version : 11g
2. Name : DCC-11g-WG. For example, enter Some arbitrary name.
3. Host Identifier : DCC-11g-WG. For example, enter Some arbitrary name.
4. Security : Select the option of your choice
5. Auto Create Policies : Leave the default selected option.
Click Apply.
A new webgate named DCC-11g-WG is created with default values. In the webgate form, update the following fields:
1. Logout URL : /oamsso-bin/logout.pl
2. Logout Callback URL : /oam_logout_success
3. Logout Redirect URL : http://{OAM_host:OAM_port}/oam/server/logout
4. Logout Target URL : end_url
5. Allow Credential Collector Operations : Leave the default selected option.
Click Apply.
Navigate to Launch Pad and click on Access Manager>Host Identifiers.
A Search form is displayed, click Search
Click Host Identifier DCC-11g-WG as created in Step 3c.
Add the Hostname and port by clicking on ‘+’ in Host Name Variations area.
After entering all the details, click Apply.

Note:
These are the hostname and port of OHS to where DCC webgate files are copied to display the login challenge.
Navigate to Launch Pad and click Authentication Schemes.
A Search form is displayed, click Create.
Create a new Authentication theme that will be used by both the webgates as given in Step 15 a to g.
Click Apply. Using Weblogic’s Embedded LDAP as LDAP authentication module where fwadmin user is added to myrealm using the WebLogic Remote Console.
1. Name : DCCAuthnScheme14c. For example, enter Some arbitrary name.
2. Authentication Level : 2
3. Challenge Method : FORM
4. Challenge Redirect URL : http://{OHS_Host_of_Resource_Webgate:OHS_Port}
5. Authentication Module : LDAP
6. Challenge URL : /oamsso-bin/login.pl
7. Context Type : external
Navigate to Launch Pad and click Application Domains.
A Search form is displayed, click Search, which should display all the application domains available that are created by default when a webgate is created.
Click Application Domain (created in Step 3b), which should open the application domain with multiple tabs and Summary is opened by default.
1. Click Resources tab, which will display search form along with Create button.
2. Click Create, update the form as below:
  
  Note:
  Add other excluded URLS similar to below, with changing Resource URL with each Create.
  - Type : HTTP
  - Host Identifier : DCC-11g-WG ( Name given in Step 3c)
  - Resource URL : /oamsso-bin/login.pl
  - Protection Level : excluded
3. Click Apply.
4. Click Authentication Policies tab and then click Protected Resource Policy. Update the form as below and click Apply.
  - Authentication Scheme : DCCAuthnScheme14c as created in Step 15.
Copy the DCC webgate files as given below created in WebLogic domain ($DOMAIN_HOME/output/DCC-11g-WG) to the OHS folder ($OHS_INSTANCE_HOME/config/OHS/$OHS_NAME /webgate/config) hosting these webgate files.
- ObAccessClient.xml
- cwallet.sso
Restart the OHS.

Resource WebGate Configuration

This topics provides steps to configure the Resource Webgate.

To configure the Resource WebGate, follow the steps:

Login to oamconsole, which should display Launch Pad of Application Security.
Click Agents > create Webgate, which should display Create Webgateform.
Input the values as below in the Create Webgate form.
1. Version : 11g
2. Name : Resource-11g-WG (Some arbitrary name)
3. Host Identifier : Resource-11g-WG (Same as Name above or some arbitrary name)
4. Security : Open (select the option of your choice)
5. Auto Create Policies : Option Selected
Click Apply
A new webgate named Resoruce-11g-WG is created with default values. In the webgate form, update the following fields:
1. Logout URL : /logout
2. Logout Callback URL : /oam_logout_success
3. Logout Redirect URL : http://{OAM_Host_of_DCC_Webgate:OAM_Port}/oamsso-bin/logout.pl
4. Logout Target URL : end_url
Click Apply
Navigate to Launch Pad and click Access Manager> Host Identifiers, which should display a search form. Click Search.
Click Host Identifier Resource-11g-WG as created in Step 3c.
Add the hostname and port by clicking on ‘+’ in Host Name Variations.
After all desired Host Name and Port are added then click Apply.

Note:
These are the hostname and port of OHS to where Resource webgate files are copied.
Navigate to Launch Pad and click Application Domains, which should display the Search form. Click Search, which should display all the application domains available that are created by default when a webgate is created.

Click Application Domain as created in Step 3b, which should open the application domain with multiple tabs and Summary is opened by default.

Click Resources tab, which will display search form along with Create button. Click Create for each row in below table, update the create form as below and click Apply.

Table 12-1 Resource Identifiers

Type	Host Identifier	Resource URL	Protection Level	Authentication Policy	Authorization Policy
HTTP	Resource-11g-WG	/{sites-context}/**	Protected	Protected Resource Policy	Protected Resource Policy
HTTP	Resource-11g-WG	/{sites-context}/ContentServer/*	Protected	Protected Resource Policy	Protected Resource Policy
HTTP	Resource-11g-WG	/{sites-context}/Satellite/*	Protected	Protected Resource Policy	Protected Resource Policy
HTTP	Resource-11g-WG	/{sites-context}/faces/jspx/…/*	Protected	Protected Resource Policy	Protected Resource Policy
HTTP	Resource-11g-WG	/{sites-context}/wem/fatwire/…/*	Protected	Protected Resource Policy	Protected Resource Policy
HTTP	Resource-11g-WG	/{sites-context}/Xcelerate/LoginPage.html	Protected	Protected Resource Policy	Protected Resource Policy

Click Authentication Policies tab and then click Protected Resource Policy. Update the form as below and click Apply.

Authentication Scheme : DCCAuthnScheme11g (Created in Step 8)

Click Responses tab and then select Identity Assertion. Click Add and include the following responses:

Table 12-2 Identity Assertion Elements

Type	Name	Value
Header	FATGATE_POLICY	Protected
Header	FATGATE_EMAIL	$user.attr.mail

Click Authorization Policies tab and then click Protected Resource Policy. Update the form as given in the table below.

Click Responses and then select Identity Assertion.

Table 12-3 Identity Assertion Elements

Type	Name	Value
Header	FATGATE_POLICY	Protected
Header	FATGATE_EMAIL	$user.attr.mail

After adding the above responses, click Add
Click Apply.

Copy the Resource webgate files as given below that's created in WebLogic domain ($DOMAIN_HOME/output/Resource-11g-WG) to the OHS folder ($OHS_INSTANCE_HOME/config/OHS/$OHS_NAME /webgate/config hosting these webgate files.
1. ObAccessClient.xml
2. cwallet.sso
Restart OHS.

Sites OAM Integration

This topic provides steps to configure the Sites OAM integration with DCC

To configure the Sites OAM integration, follow the steps:

Deploy oamtoken web application to sites server.

Note:
Do not deploy oamlogin web application since it is not used.
Undeploy cas web application from the sites server.
Navigate to CS web application and open SSOConfig.xml in edit mode.

Add the following bean to the file and Save the file.

<!-- Single Sign On configuration -->
		<bean id="ssoconfig" class="com.fatwire.wem.sso.oam.conf.OAMConfig">
			<!-- URL prefix for REST service endpoint -->

			<property name="serviceUrl" value="http://{OHS_Host_of_Resource_Webgate:OHS_Port}/{sites-context}/REST" />
			<!-- URL prefix for Token Service servlet -->
			<property name="ticketUrl" value="http://{Sites_Host:Sites_Port}/oamtoken" />
			<!-- URL to be called when WEM logout is required. -->
			<property name="signoutUrl" value="http:// {OHS_Host_of_DCC_Webgate:OHS_Port }/oamsso-bin/logout.pl?end_url=http%3A%2F%2F{OHS_Host_of_Resource_Webgate} %3A{OHS_Port }%2F{sites-context}%2Fwem%2Ffatwire%2Fwem%2FWelcome" />
			<!-- Do not proxy tickets, tt's the last server in the call chain -->
			<property name="proxyTickets" value="false" />
			<!-- Database Credentials needed by user lookup in OAMFilter -->
			<property name="dbUsername" value="fwadmin" />
			<property name="dbPassword" value="{password_for_above_user}" />
			<!-- Your application protected resources (relative to applicationUrl) -->			
			<property name="protectedMappingIncludes">
				<list>
 							<value>wem/fatwire/**value>wem/fatwire/**>
							<value>/faces/jspx/**value>/faces/jspx/**>		
<value>/ContentServer?[pagename=OpenMarket/Xcelerate/UIFramework/LoginPage|OpenMarket/Xcelerate/UIFramework/ShowMainFrames|fatwire/getAllUserGroups|fatwire/getAllSecurityConfigs|rest/asset,# </value>  
<value><Satellite?[pagename=fatwire/insitetemplating/request|OpenMarket/Xcelerate/ControlPanel/Request|OpenMarket/Xcelerate/ControlPanel/EditPanel|fatwire/wem/ui/Ping|fatwire/wem/sso/validateMultiticket|OpenMarket/Xcelerate/UIFramework/ShowPreviewFrames,#]
</value>
							<value>Xcelerate/LoginPage.html</value>

Restart Sites server after the above changes.
Use a protected URL from the resource webgate to login to Sites. For example : http://{OHS_Host_of_Resource_Webgate:OHS_Port}/{sites-context}/.

Note:
Site Capture, Satellite Server and Visitor Services can be configured to the OAM in the same way.