Configuring OAM SSO for ATG BCC and Endeca XM

Introduction

Single sign-on, or “SSO” as it’s commonly referred to, is an authentication method that allows a user access to multiple applications through a single, secure, point of entry. Rather than authenticate separately for each application, users authenticate once through a centralized service. The benefits of SSO to end users are obvious, but there are also many cost and compliance advantages that are of interest to large organizations, which is why Oracle’s enterprise customers have increasingly demanded SSO integration with Oracle Access Manager (OAM). With the introduction Oracle Commerce 11 they now have it, and in this blog I will be demonstrating how to use OAM to enable SSO between the ATG Business Control Center (BCC) and Endeca Experience Manager (XM).

Main Article

E-commerce applications are rarely simple. Often they require access to a variety of disparate systems, including inventory, fulfillment, service center, and marketing systems. A common obstacle when working with such heterogeneous systems is authenticating and preserving identity integrity. In response, many organizations choose to incorporate single sign-on solutions into their integration architecture. To meet customer demands, as well as continue its vision of unifying the Commerce toolset, Oracle has introduced in its Commerce 11.0 release a Commerce-only SSO solution that comes standard, and an Enterprise SSO solution that leverages Oracle Access Manager. The focus of this article is on the latter, illustrating how OAM can be used to provide single sign-on capability between the ATG BCC and Endeca Workbench/XM, as well as other Oracle and non-Oracle products.

Oracle Access Manager (OAM) is an industry-leading Web Access Management (WAM) solution that provides Web Single Sign-On, centralized policy administration, real-time session management and auditing. It is core to Oracle’s Access Management platform. OAM enforces access policies using web server agents called as WebGates. The WebGates intercept site traffic and verify that the user is authenticated and authorized to access the requested resource. If the user isn’t yet authenticated, the WebGate redirects the user to a login page, which validates the user’s credentials against a user repository. Once authenticated, a session gets established on the Access Manager server, and as the user tries to access different applications and resources, the Access Manager server evaluates whether the user is permitted to access that particular resource, and conveys its decision back to the WebGate for enforcement.

The procedure outlined below demonstrates how to install and configure OAM for use with Oracle Commerce 11 for authentication only. Authorizations are still managed by the respective product consoles. This article assumes that the reader is familiar with Oracle Commerce, but new to OAM. As such, I demonstrate the basic install procedure for OAM. This information is no substitute for product installation and configuration documentation, and may be incomplete. It is therefore recommended that the reader first review the product documentation and use this article only to augment or bolster their understanding.

Installing OAM 11gR2

To configure Oracle Commerce for SSO with Oracle Access Manager, an OAM environment must exist and be accessible to the Commerce servers. Below is a basic installation procedure for OAM on a Linux based environment, intended to help Commerce developers configure a local environment for testing and further exploration. If you have access to an existing OAM environment, then feel free to skip this section and continue to Commerce configuration, noting the host and port differences.

Installation Procedure

  1. Start by downloading the following software
    • • Oracle Identity and Access Management 11g (11.1.2.2.0)
    • • Oracle Fusion Middleware Repository Creation Utility 11g (11.1.2.2.0)
    • • Oracle Access Manager OHS 11g WebGates 11.1.2.2.0
    • • Oracle WebTier Utilities 11gR1 (11.1.1.7)
    • • Oracle WebLogic Server 10.3.6
    • • Java SE Development Kit 6u45
  2. Install the RCU schema
    Extract “ofm_rcu_linux_11.1.2.2.0_64_disk1_1of1.zip” and run rcu in a 32-bit shell:

    linux32 bash
    ./rcuHome/bin/rcu
    

    Database Type: Oracle Database
    Host Name: localhost
    Port: 1521
    Service Name: orcl
    Username: sys
    Password: password

    Select “Oracle Access Manager” under Identity Management
    Use the same password for all schemas: welcome1

  3. Install Java and WebLogic Server
    Extract “jdk-6u45-linux-x64.bin” to /app/oracle/product/fmw11g/jdk160_45. Then run:

    java -jar wls1036_generic.jar
    

    Install to: /app/oracle/product/fmw11g

    If the GUI doesn’t start, try:

    yum install libXtst.i686
    
  4. Install Oracle Access Manager
    Extract “ofm_iam_generic_11.1.2.2.0_disk1_1of2.zip” and “ofm_iam_generic_11.1.2.2.0_disk1_2of2.zip” and run the OAM installer:

    ./Disk1/runInstaller -jreLoc /app/oracle/product/fmw11g/jdk160_45
    

    Oracle Middleware Home: /app/oracle/product/fmw11g
    Oracle Home Directory: idm_11.1.2

    If the Prerequisite Checks fail during installation, try:

    yum install compat-libcap1
    yum install compat-libstdc++-33.i686
    

    Note: To remove OAM, you can run the installer again with the -deinstall option.

    cd /app/oracle/product/fmw11g
    ./idm_11.1.2/oui/bin/runInstaller -deinstall
    
  5. Create a WebLogic Domain for the OAM Servers
    . /app/oracle/product/fmw11g/wlserver_10.3/server/bin/setWLSEnv.sh
    /app/oracle/product/fmw11g/wlserver_10.3/common/bin/config.sh
    

    Select:
    • Oracle Access Management
    • Oracle Enterprise Manager

    Domain Name: idm_domain
    Password: welcome1

    Select both Schemas and change:

    DBMS/Service: orcl
    Host Name: localhost
    Password: welcome1

  6. Upgrade Schemas using Patch Assistant
    Run the Patch Assistant:

    /app/oracle/product/fmw11g/oracle_common/bin/psa
    

    Select:
    • Oracle Access Manager

    Connect String: localhost:1521/ORCL
    DBA User Name: sys as sysdba
    DBA Password: password

    Schema User Name: DEV_IAU
    Schema Password: welcome1

  7. Create a Security Store for the WLS Domain
    cd /app/oracle/product/fmw11g/idm_11.1.2/common
    bin/wlst.sh tools/configureSecurityStore.py -d /app/oracle/product/fmw11g/user_projects/domains/idm_domain -c IAM -p welcome1 -m create
    

    Note: if you encounter any issues, re-run configureSecurityStore.py using “-m validate_fix”, instead of “-m create”. Then run “-m validate” to verify the configuration.

  8. Start WebLogic Servers
    cd /app/oracle/product/fmw11g/user_projects/domains/idm_domain
    ./startWebLogic.sh
    ./bin/startManagedWebLogic.sh oam_server1
    

    The following URLs should now be accessible:
    http://localhost:7001/console
    http://localhost:7001/em
    http://localhost:7001/oamconsole

  9. Install Oracle WebTier Utilities 11gR1
    Extract “ofm_webtier_linux_11.1.1.7.0_64_disk1_1of1.zip” and execute ./Disk1/runInstaller
    Select “Install Software – Do Not Configure”

    Oracle Middleware Home: /app/oracle/product/fmw11g
    Oracle Home Directory: webtier_11.1

    /app/oracle/product/fmw11g/webtier_11.1/bin/config.sh
    

    Select:
    • Oracle HTTP Server
    • Associate Selected Components with WebLogic Domain

    Make sure the WLS Admin Server is running, and specify the OAM Admin port number (7001).

    Instance Home Location: /app/oracle/product/fmw11g/webtier_11.1/instances/instance1
    Instance Name: instance1
    OHS Component Name: ohs1

  10. Install OAM 11gR2 (11.1.2.2) Webgate for OHS 11gR1 (11.1.1.7)
    Extract “ofm_webgates_generic_11.1.2.2.0_disk1_1of1.zip” and run Installer:

    ./Disk1/runInstaller -jreLoc /app/oracle/product/fmw11g/jdk160_45
    

    Oracle Middleware Home: /app/oracle/product/fmw11g
    Oracle Home Directory: webgate_11.1.2

    cd /app/oracle/product/fmw11g/webgate_11.1.2/webgate/ohs/tools/deployWebGate
    ./deployWebGateInstance.sh -w /app/oracle/product/fmw11g/webtier_11.1/instances/instance1/config/OHS/ohs1 -oh /app/oracle/product/fmw11g/webgate_11.1.2
    
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/app/oracle/product/fmw11g/webtier_11.1/lib:/app/oracle/product/fmw11g/webgate_11.1.2/webgate/ohs/lib
    
    cd /app/oracle/product/fmw11g/webgate_11.1.2/webgate/ohs/tools/setup/InstallTools
    ./EditHttpConf -w /app/oracle/product/fmw11g/webtier_11.1/instances/instance1/config/OHS/ohs1 -oh /app/oracle/product/fmw11g/webgate_11.1.2 -o webgate.conf
    
  11. Start OHS
    cd /app/oracle/product/fmw11g/webtier_11.1/instances/instance1/bin
    ./opmnctl startall
    

    To verify that OHS started successfully, open a browser and access the following URL:
    http://localhost:7777

    If you don’t see a welcome page, then the server is not running. Check the OHS log in the diagnostics directory and ensure that there are no errors being reported. If you see the following error: “libexpat.so.0: cannot open shared object file” then you may need to install libexpat using the procedure below.

    Download the latest Oracle Linux 6 repo configuration file and install compat-expat1:

    su - root
    cd /etc/yum.repos.d
    wget http://public-yum.oracle.com/public-yum-ol6.repo
    yum install compat-expat1
    
  12. Uninstall Procedure (in case of emergency)
    In the event that something goes wrong and you need to remove and re-install the products, the following commands can be used to uninstall everything:

    cd /app/oracle/product/fmw11g
    ./webgate_11.1.2/oui/bin/runInstaller -deinstall
    ./webtier_11.1/oui/bin/runInstaller -deinstall
    ./idm_11.1.2/oui/bin/runInstaller -deinstall
    <RCU_INSTALLER>/rcuHome/bin/rcu   (select the Drop Schema option)
    

    Optional:

    ./oracle_common/oui/bin/runInstaller -jreLoc /app/oracle/product/fmw11g/jdk160_45 -deinstall
    rm -f /app/oracle/product/fmw11g
    

This should be sufficient for a simple OAM installation. For configurations beyond the scope of this basic install procedure, or for more detailed instructions, please refer to the product installation documentation for OAM, which can be found here:

Quick Installation Guide for Oracle Identity and Access Management
Installation Guide for Oracle Identity and Access Management

Configuring Oracle HTTP Server (OHS) Proxy

In order for OAM to intercept Commerce requests the traffic must be routed through an Oracle HTTP Server (OHS) where an OAM WebGate agent resides. In steps 9-11 above, we installed and configured an OHS server with a WebGate agent, but we need to amend this configuration to proxy requests from OHS to the ATG BCC and Endeca Workbench/XM. Assuming that your ATG environment will be running on Oracle WebLogic Server, the simplest way to achieve this is to use separate OHS Virtual Hosts for the BCC and XM, and to proxy from the root path using the WebLogic Proxy Plug-in.

In my setup, I chose to install everything into virtualized environments using Oracle VirtualBox. This isn’t necessary, but can be useful if you’re working with multiple versions of these products. I installed the Commerce software in a separate Virtual Machine (VM) than the Security software to avoid possible port conflicts, and increase the reusability of my VMs, but this isn’t necessary either. If you wanted to install everything in one environment, that would work as well, provided you have the hardware to support it. My VMs communicate with one another by leveraging a feature new to VirtualBox 4.3+ known as “NAT Networking” which allows virtual machines to talk to each other on the same host and communicate with the outside world.

In my configurations below, you’ll see references to the hostnames “hadrian” and “tiberius”. These are the hostnames of my VMs, which are named respectively after the Roman emperors, who built the defensive fortification known as Hadrian’s Wall to keep the barbarians out, and who replenished the imperial treasury. Feel free to use any hostname that makes it easy to remember which server is which.

To configure the virtual hosts and set up the proxy rules, edit the file mod_wl_ohs.conf:

cd /app/oracle/product/fmw11g/webtier_11.1/instances/instance1/config/OHS/ohs1
vi mod_wl_ohs.conf

And add a section similar to the following, noting that your hostnames and port numbers may differ:

LoadModule weblogic_module   "${ORACLE_HOME}/ohs/modules/mod_wl_ohs.so"

<IfModule weblogic_module>
  Debug ON
  WLLogFile /tmp/weblogic.log

  Listen 7778
  <VirtualHost *:7778>
    <Location />
        SetHandler weblogic-handler
        WebLogicHost tiberius
        WebLogicPort 8006
    </Location>
  </VirtualHost>

  Listen 7779
  <VirtualHost *:7779>
    <Location />
        SetHandler weblogic-handler
        WebLogicHost tiberius
        WebLogicPort 7103
    </Location>
  </VirtualHost>

</IfModule>

This will proxy all requests made to hadrian on port 7778 to the Endeca server running Workbench/XM on tiberius:8006, and all requests made on port 7779 to the ATG server running on tiberius:7103. It is possible to proxy from a single host, but you would need to define location handlers for all the various proxy paths (/atg, /ifcr, /preview, /rest, /js, /dojo-1, …) because ATG does not keep all of its URL paths under an “/atg” context.

For these changes to take effect, you will need to stop and restart OHS:

cd /app/oracle/product/fmw11g/webtier_11.1/instances/instance1/bin
opmnctl stopall
opmnctl startall

Afterwards, the new URL for accessing the Endeca Workbench/XM through OHS/OAM will be:
http://hadrian:7778/ifcr

And the new URL for accessing the ATG BCC through OHS/OAM will be:
http://hadrian:7779/atg/bcc

For more information on configuring Virtual Hosts or the WebLogic Proxy Plug-in, you can also consult the following resources:

Apache Virtual Host Documentation
Using Web Server Plug-Ins with Oracle WebLogic Server

Enabling OAM for ATG Commerce BCC

Next we need to configure ATG Commerce to accept OAM authenticated users. The easiest way to configure OAM on ATG Commerce is to use the ATG Configuration and Installation Manager (CIM). CIM is a text-based application that simplifies configuration for ATG products. You can launch it by executing cim.sh from the “$ATG_INSTALL/ATG/home/bin” directory. At the end of the Product Selection phase of CIM configuration, you have the option to enable product add-ons. One of the product add-on options is “Single Sign On (SSO)”. To enable OAM-based SSO with ATG Commerce, you must enable the SSO add-on, and then select “OAM Authentication” as the SSO authentication model. Below is a sample transcript of such a session.

[oracle@localhost]$ /app/oracle/product/atg/ATG/home/bin/cim.sh

The following installed ATG components are being used to launch:
  ATGPlatform version 11.0 installed at /app/oracle/product/atg/ATG

Nucleus running

     Oracle ATG Web Commerce Configuration Installation Manager

-------START OPSS SERVICES------------------------------------------------------
enter [h]Help, [q]Quit to exit 

Starting the Oracle Platform Security Services (OPSS)

=======CIM MAIN MENU============================================================
enter [h]Help, [q]Quit to exit 

Choose the task you want to perform:
  [1]  Database Configuration - Done
  [2]  Configure OPSS Security - Done
  [3]  Server Instance Configuration - Done
  [4]  Application Assembly & Deployment - Done
  [R]  Set the Administrator Password - Done
  [P]  Product Selection - Done (ATG REST & ATG Site Administration & 
ATG-Endeca Integration & Oracle ATG Commerce Service Center & Oracle Commerce 
Reference Store & ATG Content Administration)
  [A]  Select Application Server - Done (Tomcat)
 *[C]  Custom CIM Plugin Launcher 

 > P

-------ANALYZING PRODUCT DIRECTORIES--------------------------------------------

Please wait as CIM analyzes your product folders. . . . . . . . . . . . 
Analysis complete: 6 seconds

-------WARNING------------------------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

Changing your product selection may require changes to your configuration. 
Database Configuration, Server Instance Configuration, and Application 
Assembly and Deployment will need to be redone. Are you sure you want to 
continue?
 
 *[C]  Continue
  [A]  Cancel

 > C

-------PRODUCT SELECTION--------------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

Select product you wish to configure by entering the corresponding item number.

  (Searching for products... done.)

  Choose one of the following options: (* = Currently selected )

  [1]  ATG Platform - 
        Includes, optionally, data warehouse components
 
 *[2]  ATG REST - 
        RESTful Web Services
 
  [3]  WebCenter Sites Extensions - 
        Includes ATG Platform and Endeca Reader.
 
 *[4]  ATG Site Administration - 
        Includes ATG Platform and Content Administration
 
 *[5]  ATG-Endeca Integration - 
        Includes ATG Platform. Select this option when Endeca is used.
 
 *[6]  ATG Content Administration - 
        Includes ATG Platform.  Optional: Preview
 
  [7]  ATG Commerce - 
        Includes ATG Platform and Content Administration. Optional: data 
        warehouse components, Preview and Merchandising UI
 
  [8]  Endeca Reader - 
        Includes ATG Platform. Select this option when Endeca is used to 
        import data to ATG.
 
 *[9]  Oracle ATG Commerce Service Center - 
        Agent-facing commerce application
 
 *[10]  Oracle Commerce Reference Store - 
        Includes the ATG platform, ATG-Endeca Integration, ATG Content 
        Administration, Site Administration, Oracle ATG Web Commerce, and 
        Oracle ATG Web Commerce Merchandising. Optional: data warehouse 
        components and Preview
 
  [D]  Done

Select one or more > D

-------ENDECA SEARCH------------------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

The following addon(s) have been automatically included for the selected 
product: Endeca Search

-------MERCHANDISING UI---------------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

The following addon(s) have been automatically included for the selected 
product: Merchandising UI

-------CHOOSE ADDONS :----------------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

  Choose AddOns :
  [1]  Reporting
  [2]  Staging Server
  [3]  Dedicated Lock Servers
 *[4]  Single Sign On (SSO)
  [5]  Abandoned Order Services
 *[6]  Preview Server
  [D]  Done

Select zero or more > D

-------SSO AUTHENTICATION-------------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

  SSO Authentication
 *[1]  Commerce Only SSO Authentication
  [2]  OAM Authentication

Select one > 2

-------INCLUDE DEMO APPLICATION:------------------------------------------------
enter [h]Help, [m]Main Menu, [q]Quit to exit 

  Include Demo Application:
  [1]  Quincy Funds Demo
  [D]  Done

Select zero or one > D

Once the SSO add-on has been enabled, and OAM Authentication selected as the authentication method, you can configure your production and publishing servers, like you would in a typical ATG Commerce installation, but use the OHS server values instead. So, where you see:

  • Fully-qualified Workbench Hostname – use the complete hostname of the OHS server.
  • Workbench Port Number – use the OHS virtual host port that proxies to Endeca Workbench.
  • OAM Web Server Hostname – use the hostname of the OHS server instead.
  • OAM Web Server Port – use the OHS virtual host port that proxies to ATG BCC.

For example, here are the values that I used throughout my configuration:

Fully-qualified Workbench Hostname  : hadrian.us.oracle.com
Workbench Port Number               : 7778
OAM Remote User Http Header Name    : OAM_REMOTE_USER
OAM Web Server Hostname             : hadrian
OAM Web Server Port                 : 7779
Webgate Logout URL                  : /oamsso/logout.html?end_url=/atg/bcc?dummy=1

After completing the CIM configuration, the following files should have been added or modified:

/app/oracle/product/atg/ATG/home/servers/atg_pub/localconfig
     /atg/dynamo/servlet/dafpipeline
          OamRemoteUserServlet.properties
          DynamoHandler.properties
          AccessControlServlet.properties
     /atg/dynamo/servlet/pipeline
          RedirectURLValidator.properties
     /atg/endeca
          ApplicationConfiguration.properties
     /atg/remote/controlcenter/service
          ControlCenterService.properties
     /atg/userprofiling
          InternalProfileFormHandler.properties
     /atg/userprofiling/oam
          Configuration.properties
          NonTransientLogoutAccessController.properties
     /atg/web/assetmanager/userprofiling
          NonTransientAccessController.properties
/app/oracle/product/atg/ATG/home/servers/atg_prod/localconfig
     /atg/endeca
          ApplicationConfiguration.properties

If your environment is already configured and you don’t want to use CIM, it’s probably best to run CIM in a different environment to get the modified files, then run diff checks against the above files to determine what changes need to be applied, and manually apply them.

Once the above procedure is complete, we’ll have all we need to accept OAM authenticated users from the ATG BCC, but we still need to create an OAM policy to secure the application and redirect to the OAM SSO Login Page when unauthenticated requests to port 7779 are made. We’ll get into that after first discussing the additional changes necessary for Endeca OAM integration.

For additional information on the ATG OAM integration, you can also refer to the following:

Using Oracle Access Management for Single Sign On
Installing the Oracle Access Manager Integration Component

Enabling OAM for Endeca Workbench/XM

Like ATG, Endeca also needs to be configured accept OAM authenticated users, but unlike ATG, there is no CIM configuration wizard for Endeca. The changes must be made through manual edits on Endeca configuration files. Outlined below is the procedure that I followed to configure Endeca for OAM SSO.

  1. Edit the webstudio.properties file:
    cd /app/oracle/product/endeca/ToolsAndFrameworks/11.0.0/server/workspace/conf
    vi webstudio.properties
    

    And apply the following changes:

    a) Set useOAM to true, and set logoutURL as follows:

    # OAM Authentication
    com.endeca.webstudio.useOAM=true
    #com.endeca.webstudio.oam.identityAssertionValidation=true
    #com.endeca.webstudio.oam.keyStore=oamkeystore.ks
    #com.endeca.webstudio.oam.keyStoreType=JKS
    #com.endeca.webstudio.oam.keyStorePassword=oampass
    com.endeca.webstudio.oam.logoutURL=/ifcr/system/sling/logout.html?oam.logout.url=/oamsso/logout.html%3Fend_url=/ifcr
    

    b) Set useSSO to false, and comment out the Commerce SSO section:

    # Commerce SSO Authentication
    com.endeca.webstudio.useSSO=false
    #com.endeca.webstudio.sso.loginURL=http://localhost:38840/sso/login
    #com.endeca.webstudio.sso.controlURL=http://localhost:38840/sso/control
    #com.endeca.webstudio.sso.logoutURL=http://localhost:38840/sso/logout
    #com.endeca.webstudio.sso.validationURL=http://localhost:38840/sso/validate
    #com.endeca.webstudio.sso.keepAliveURL=http://localhost:38840/sso/keepAlive
    #com.endeca.webstudio.sso.keepAliveFrequency=1800
    
  2. In the same directory, edit the ws-extensions.xml file, and change the url attributes to point to the OHS virtual host for the ATG BCC:
    <extension id="bcc-home" defaultName="BCC" defaultDescription ="BCC"
      url="http://hadrian:7779/atg/bcc"
        externalURL="true"/>
        <extension id="bcc-access-control"
          defaultName="BCC Access Control"
          defaultDescription="BCC Access Control"
          role="admin"
          url="http://hadrian:7779/ControlCenter/application/accesscontrol"
          externalURL="true"/>
    </extensions>
    
  3. Edit the file Login.conf, and uncomment the Webstudio section. Then modify the serverInfo, serviceUsername, and servicePassword properties to point to the same LDAP repository that OAM checks against. In my configuration, that was the WebLogic Server Embedded LDAP. An example of my file is shown below:
    Webstudio {
        com.endeca.workbench.authentication.ldap.WorkbenchLdapLoginModule required
        serverInfo="ldap://hadrian:7001"
        serviceUsername="cn=Admin"
        servicePassword="welcome1"
        serviceAuthentication="simple"
        authentication="simple"
        useSSL="false" keyStoreLocation="/app/oracle/product/endeca/ToolsAndFrameworks/11.0.0/server/workspace/conf/webstudio.jks"
        keyStorePassphrase="keypass"
    
        // The query used to look up a user in the LDAP directory and
        // templates that extract information from the user object
        userPath="/ou=people,ou=myrealm,dc=idm_domain??sub?(&(objectClass=person)(uid=%{#username}))"
        userTemplate="%{#uid}"
        firstNameTemplate="%{#givenName}"
        lastNameTemplate="%{#sn}"
        emailTemplate="%{#mail}"
    
        // The query used to look up a group in the LDAP directory and
        // templates that extract information from the group object
        findGroupPath="/ou=groups,ou=myrealm,dc=idm_domain??sub?(&(objectClass=group)(cn=%{#groupname}))"
        findGroupTemplate="%{#dn:0}"
        groupEmailTemplate="%{#mail}"
    
        // The query and template used to fetch the groups associated
        // with a user when the user logs in to Web Studio
        groupPath="/ou=groups,ou=myrealm,dc=idm_domain??sub?(member=%{#dn})"
        groupTemplate="%{#dn:0}"
    ;
    };
    
  4. The servicePassword specified in step 3 above is not the password for the weblogic or admin user, but rather the password for the WebLogic Embedded LDAP admin user (“cn=Admin“). The password you specify in the servicePassword field must match with the Embedded LDAP password configured in WebLogic Server.
    To set this password, log into the WebLogic Admin Console for the OAM environment (http://hadrian:7001/console) and navigate to “idm_domain ▶ Security ▶ Embedded LDAP”, and change the value of the credential field to use the same password. Then save and apply your changes.
    commerce+oam_wls_sec_realm
  5. While you’re in the WebLogic Admin Console, add a user named “admin”. Navigate to “Security Realms ▶ myrealm ▶ Users and Groups ▶ Users”, and click the “New” button to add a new user named admin. Don’t worry about assigning groups to this user because authorization will be done in the BCC and in Workbench.
    commerce+oam_wls_admin_user
  6. Log into the Endeca Workbench. Navigate to User Management, click on the admin user and change the Source from Workbench to LDAP:
    commerce+oam_wb_admin_user

New users created must be synchronized between WebLogic Server, Workbench, and the ATG Profile Repository. That is, if you create a new user in the WebLogic security realm, and you want that user to be able to log into Workbench, as well as log into the ATG BCC, then you must also create that user in Workbench, as well as in the ATG Profile Repository.

The procedure outlined here is sufficient if Workbench and OAM are both behind the same firewall, but if that’s not the case, you may want to enable trust between the two systems by enabling Identity Assertion Validation.

More information on IA validation and configuring Endeca with OAM can be found in:

Oracle Endeca Commerce Administrator’s Guide

Configuring OAM Security Policies for BCC and Workbench/XM

The final steps of this process are to configure the security policies that protect the BCC and Workbench/XM. These applications already have their own individual login pages, but this procedure will allow them to use a single, shared, login page, that bypasses the application specific logins and only requires users to sign in once to access both applications.

All security policy configuration is done using the Oracle Access Management Console, so start by opening a browser and logging into the OAM console (http://hadrian:7001/oamconsole).

  1. Register a WebGate agent:
    a) From the Launchpad, under Quick Start Wizards, select “SSO Agent Registration”.
    b) As the type, select “11g Webgate” and click Next.
    c) Enter “OHS1_WebGate” as the name, and “hadrian.us.oracle.com” as the preferred host.

    commerce+oam_oamconsole_wgagent

    d) Click Finish.

  2. Create Host Identifiers for the ATG and Endeca servers:
    a) From the Launchpad, under Access Manager, select “Host Identifiers”.
    b) Click the “Create Host Identifier” button.
    c) Use name “endeca_wb1”, and “hadrian.us.oracle.com:7778” for host and port, then click Apply.

    commerce+oam_oamconsole_hostid

    d) Repeat for ATG server, using:

    Name: atg_pub1
    Description: Host identifier for ATG Publishing
    Host Name: hadrian.us.oracle.com
    Port: 7779
  3. Create an Application Domain:
    a) From the Launchpad, under Access Manager, select “Application Domains”.
    b) Click the “Create Application Domain” button. Enter the following, and click Apply.

    Name: ATG/Endeca
    Description: Policy objects enabling integration with ATG and Endeca.
  4. Create an Authentication Policy:
    a) On the newly created application domain, select the “Authentication Policies” tab.
    b) Click the “Create Authentication Policy” button.
    c) Name the policy “Endeca” and select “LDAPScheme” for authentication. Then click Apply.

    commerce+oam_oamconsole_atnpolicy

    d) Click the “Duplicate” button to create another similar policy, this time using the following:

    Name: ATG
    Description: ATG SSO using LDAP authentication.
  5. Create an Authorization Policy:
    a) Return to the ATG/Endeca application domain, and select the “Authorization Policies” tab.
    b) Click the “Create Authorization Policy” button, and name the policy “open”.
    c) Select the “Conditions” tab, and add a condition of type True (name will auto-populate).
    d) Select the “Rules” tab, and in the “Allow Rule” section, move the TRUE condition from Available to Selected, and click Apply.

    commerce+oam_oamconsole_rules
  6. Define the Resource URLs to protect:
    a) Return to the ATG/Endeca application domain, and select the “Resources” tab.
    b) Click the “New Resource” button, and create a new resource of type HTTP with:

    Host Identifier: endeca_wb1
    Resource URL: /**
    Protection Level: Protected
    Authentication Policy: Endeca
    Authorization Policy: open
    commerce+oam_oamconsole_resources

    c) Click the “Duplicate” button to create another similar resource, this time using the following:

    Host Identifier: atg_pub1
    Resource URL: /**
    Protection Level: Protected
    Authentication Policy: ATG
    Authorization Policy: open

Conclusion

Once you’ve completed the procedures above, and have restarted all of your servers, your environment will be SSO enabled using Oracle Access Manager. Your users should use the frontend host addresses to log into the BCC and XM and will be able to toggle between the two consoles without having to re-authenticate.

To verify your configuration, try logging into either of the following two URLs (hostname may differ):
http://hadrian:7778/ifcr
http://hadrian:7779/atg/bcc

If everything is configured correctly, you will be presented with the Oracle Access Manager Login page:

commerce+oam_oam_loginpage

Log in using the password specified when creating the admin user in the WebLogic Admin Console (welcome1), and you should proceed to either the BCC or XM management console.

From the BCC, under “Oracle Commerce Tools” section, you should see a link for the Endeca Workbench:

commerce+oam_bcchome

Clicking on the link will navigate to the Endeca Workbench without requiring you to authenticate again. From the Endeca Workbench/XM, you should also see a link that can take you back to the ATG BCC:

commerce+oam_xmhome

Hopefully this article provides the necessary insight to administrators, architects, and developers, who are looking to integrate OAM into their Commerce solutions. Please keep in mind that the procedures outlined herein are intended for development environments, and that additional steps may be required for production environments. Please make sure to also review the product literature when configuring your environments.

Comments

  1. Hello João,

    Each of these products (ATG BCC, Endeca XM, and OAM/WebLogic Server) offer the ability to configure LDAP-based user repositories. In the example above, I just configured everything using the OOTB default user stores; however, in a production environment that’s not likely to be the case. Most customers would probably configure a common LDAP repository for their users and configure each of the products to use that as their user store. If that’s the case, then no synchronization is necessary. If you need to keep your users in separate repositories, then another option that you should consider is a product like Oracle Virtual Directory (OVD), which allows you to combine directories, as well as synchronize if necessary. Outside of that, I’m not aware of anything OOTB in these products that supports synchronizing directories.

    Hope that helps,

    -jim

  2. Joao Lopes says:

    Hi Jim

    Thank you for exposing here the steps to achieve this. Very detailed indeed.

    I arrived to this information because I was looking about how to synchronize the users between BCC, XM and OAM.
    You state: “New users created must be synchronized between WebLogic Server, Workbench, and the ATG Profile Repository.”
    Do you have any recommendations for this part? Do you know if is possible to automatize this? Bulk load, lazy-load?

    Many thanks,
    João

Add Your Comment