Call now: 252-767-6166  
Oracle Training Oracle Support Development Oracle Apps

 
 Home
 E-mail Us
 Oracle Articles
 New Oracle Articles


 Oracle Training
 Oracle Tips
 Oracle Forum
 Class Catalog


 Remote DBA
 Oracle Tuning
 Emergency 911
 RAC Support
 Apps Support
 Analysis
 Design
 Implementation
 Oracle Support


 SQL Tuning
 Security
 Oracle UNIX
 Oracle Linux
 Monitoring
 Remote support
 Remote plans
 Remote services
 Application Server
 Applications
 Oracle Forms
 Oracle Portal
 App Upgrades
 SQL Server
 Oracle Concepts
 Software Support
 Remote Support  
 Development  
 Implementation


 Consulting Staff
 Consulting Prices
 Help Wanted!

 


  Oracle Posters
 Oracle Books
  Oracle Scripts
 Ion
 Excel-DB  

Don Burleson Blog 


 

 

 


 

 
 

 

 

OracleAS Single Sign-On (SSO)

Oracle Application Server Tips by Burleson Consulting

Prior to the introduction OracleAS SSO, each component within OracleAS required separate password and authentication management.  Besides the duplication of passwords, the lack of a unified security interface presented a huge maintenance issues and also compromised the overall manageability of the application.

Without SSO, every user is required to maintain a distinct password for every application in the enterprise.  As anyone who has dozens of passwords can tell you, they must write-down the passwords, which can cause a serious security breach.  With SSO, each user has only one password for all applications within the OracleAS framework.

Unlike traditional Oracle applications, SSO is designed for web-based users.  Any Oracle system can be web-enabled, and the end-user community can securely access their applications from the Internet, anywhere in the world.  The central components of OracleAS SSO are the mod_osso module and the SSO login server, and that will be the focus of our SSO exploration.  As an OracleAS administrator, you are responsible for maintaining enterprise security, and knowledge of SSO administration is required.

OracleAS uses two techniques for end-user authentication, one for local ?partner? applications (internal) and another for external applications.  Because of the infinite possible authentication mechanisms of external applications, they cannot be integrated into SSO and LDAP entries are used to manage security.

  • Local Partner Applications ? Local applications authentication is performed from a lookup table within the isadb schema on the repository.  The lookup table contains all of the data including the user ID, password and privileges for local users.

  • External applications - External SSO identification allows any third-party products to be incorporated in a OracleAS system.  External applications use the Oracle Internet Directory and OracleAS handles authentication using standard LDAP entries.  At connect time, OracleAS binds to OID and looks up the remote users credentials in the appropriate directory on the server.

While this chapter focuses on SSO administration, you can find details for user assignment and application management with SSO in Chapter 12, OracleAS Security.  Now that we understand the basic authentication methods of SSO, let?s take a closer look at the internals of SSO.  Let?s get started with a quick review of SSO management scripts and then look at the mod_osso utility and then learn how it is used to administer OracleAS SSO security.  Let?s start by exploring SSO configuration.

Configuring the SSO server

The configuration of SSO involves the creation and management of the server-side components for the SSO login server.  These configuration tasks include:

  • Allocate SSO directories ? These must be allocated with the proper OS permissions to maintain security

  • Set-up SSO configuration files ? These must contain the correct values for your system

  • Configure SSO programs ? These must be configured properly

  • Establish SSO library routines ? These must have proper group permissions

These are relatively trivial tasks, but crucial to the successful use of SSO.  Let?s start by looking at the SSO directory structures and understand the purpose and functions of the components within each directory.

SSO Directories

The SSO log-in server will have the following directories allocated at install time.  Each of these directories serves a specific purpose to SSO and contains important scripts and executables.

  • $ORACLE_HOME/reports/conf ? This directory has the configuration files for Oracle Reports

  • $ORACLE_HOME/sso/bin  ? This directory contain SSO executables

  • $ORACLE_HOME/dcm/bin ? This is the directory for the DCM utility files

  • $ORACLE_HOME/Apache/Apache/conf - This is the location of the mod_osso configuration file

  • $ORACLE_HOME/sso/lib ? This contains the  ossoreg.jar file and other SSO library routines 

These are the main driving directories for SSO and they contain important programs for SSO management.  One of the most important is the SSO configuration utility.  It is located in $ORACLE_HOME/sso/bin/ssocfg.sh, and ssocfg.sh is a shell script that invokes Java routines to manage the SSO layer.  The ssocfg.sh script accepts the new_host_name and new_port name as arguments.  For example, if we wanted to add server diogenes on port 1446 we would issue the following command:

ssocfg.sh diogenes 1446

Internally, the ssocfg.sh script issues the following Java invocation, calling the oracle.security.sso.SSOServerConfig Java program:

java oracle.security.sso.SSOServerConfig $*

Now that we see the contents of SSO files, let?s take a quick look and enabling and configuring SSO.

Enabling SSO

Enabling SSO is quite simple.  Turning-on SSO requires adjusting the SINGLESIGNON parameter in the rwservlet configuration file (rwservlet.properties).  When singlesession=yes, you are telling OracleAS that you will use SSO to authenticate users.  As we have noted, the rwservlet configuration file is usually found in the $ORACLE_HOME/reports/conf directory.

After you have completed configuring the SSO server, you must configure OHS to use SSO.  This is done by making an entry in the mod_osso.conf file and enabling mod_osso in the OMS configuration file. The file osso.conf contains partner registration record registered with Single Sign-On (SSO) server.  Once the OHS is configured for SSO, you can use SSO to protect individual resources via the SSO server.  There are several important directives in the file:

  • OSS Idle Timeout - If you set OssoIdleTimeout on, OracleAS will invoke a global inactivity timeout to disconnect idle sessions.  

  • OSS IP Check - If you set the OssoIpCheck on, OracleAS SSO will invoke a IP address check to ensure the authenticating browser is the same as the browser requesting access to protected facilities.

The SSO login server is the component of OracleAS that accepts the users? password and manages their access to all OracleAS applications.  After the user enters an accepted password, OracleAS sends a message to all applications that this user has been authenticated and (optionally) stores a cookie on the browser. This cookie is used for to avoid the need to re-enter the password during subsequent visits.

TIP: Any web browser that uses SSO should be configured to accept cookies because the end-user will become annoyed with the repeated login screens that are displayed without cookie support.

Because SSO governs security for the whole enterprise, you must have Full Administrator privileges on the login server to configure the SSO login server.  If you want to access the SSO login server from OracleiAS Portal, you must be an Authorized OracleAS Portal Administrator.

OracleAS repository has some important SSO log tables that assist in tracking SSO interaction and errors.  Let?s take a quick look at these log tables.

 

This is an excerpt from "Oracle 10g Application Server Administration Handbook" by Don Burleson and John Garmany.
 

If you like Oracle tuning, you may enjoy the new book "Oracle Tuning: The Definitive Reference", over 900 pages of BC's favorite tuning tips & scripts. 

You can buy it direct from the publisher for 30%-off and get instant access to the code depot of Oracle tuning scripts.

 
 
��  
 
 
Oracle Training at Sea
 
 
 
 
oracle dba poster
 

 
Follow us on Twitter 
 
Oracle performance tuning software 
 
Oracle Linux poster
 
 
 

 

Burleson is the American Team

Note: This Oracle documentation was created as a support and Oracle training reference for use by our DBA performance tuning consulting professionals.  Feel free to ask questions on our Oracle forum.

Verify experience! Anyone considering using the services of an Oracle support expert should independently investigate their credentials and experience, and not rely on advertisements and self-proclaimed expertise. All legitimate Oracle experts publish their Oracle qualifications.

Errata?  Oracle technology is changing and we strive to update our BC Oracle support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:  

and include the URL for the page.


                    









Burleson Consulting

The Oracle of Database Support

Oracle Performance Tuning

Remote DBA Services


 

Copyright © 1996 -  2017

All rights reserved by Burleson

Oracle ® is the registered trademark of Oracle Corporation.

Remote Emergency Support provided by Conversational