Enabling SSL for Fusion Applications Login Pages

Introduction

During IDM provisioning you can enable SSL for all external traffic as per the diagrams below. If you need to enable SSL post provisioning then read through the remaining steps in this post on how to enable SSL post provisioning.

To enable SSL during provisioning you need to select the EDG Topology:

idm_prov_1

In the last screen Load Balancer Page you must ensure that the SSL Checkbox is checked

idm_p2_marked_snip

IDM Configuration Changes

Update AuthOHS configuration

The first step is to enable re-direction for the oam, oim and oif pages to the WLS managed server when called over SSL. This is done by updating the configuration in the ssl.conf file located in the directory $IDM_MAIN/config/instances/ohs1/config/OHS/ohs1

Please note that the directory structure may differ slightly on your environment.

Create a backup copy of the file, edit the file and add the virtual host entries to this file directly after the line: <VirtualHost *:4443> and before <IfModule ossl_module>

## 
## SSL Virtual Host Context 
## 
<VirtualHost *:4443> 
 ## Insert entries here...
 <IfModule ossl_module> 
 # SSL Engine Switch: 
 # Enable/Disable SSL for this virtual host. 
 SSLEngine on

The virtual host entries can be found in the idm.conf file located in the directory $IDM_MAIN/config/instances/ohs1/config/OHS/ohs1/moduleconf after the line starting with <VirtualHost *:7777> until the second last line </Location>.

You will need to change the port to the correct SSL port, in this example we have used the default ports used during provisioning replacing port 7777 with 4443 (SSL)

##
## SSL Virtual Host Context
##
<VirtualHost *:4443>
 ServerName https://ateamref-idm.us.oracle.com:4443
 RewriteEngine On
 RewriteRule ^/console/jsp/common/logout.jsp "/oamsso/logout.html?end_url=/console" [R]
 RewriteRule ^/em/targetauth/emaslogout.jsp "/oamsso/logout.html?end_url=/em" [R]
 RewriteRule ^/FSMIdentity/faces/pages/Self.jspx "/oim" [R]
 RewriteRule ^/FSMIdentity/faces/pages/pwdmgmt.jspx "/admin/faces/pages/pwdmgmt.jspx" [R]
# RewriteRule ^/FSMIdentity/faces/pages/Self.jspx "/identity" [R]
 RewriteOptions inherit
 UseCanonicalName On

# OAM Related Entries
 # Admin Server and EM
 <Location /console>
 SetHandler weblogic-handler
 WebLogicHost idmhost.mycompany.com
 WebLogicPort 7001
 </Location>

 <Location /consolehelp>
 SetHandler weblogic-handler
 WebLogicHost idmhost.mycompany.com
 WebLogicPort 7001
 </Location>

 <Location /em>
 SetHandler weblogic-handler
 WebLogicHost idmhost.mycompany.com
 WebLogicPort 7001
 </Location>

 <Location /oamconsole>
 SetHandler weblogic-handler
 WebLogicHost idmhost.mycompany.com
 WebLogicPort 7001
 </Location>

 <Location /oam>
 SetHandler weblogic-handler
 WebLogicHost idmhost.mycompany.com
 WebLogicPort 14100
 </Location>

 <Location /fusion_apps>
 SetHandler weblogic-handler
 WebLogicHost idmhost.mycompany.com
 WebLogicPort 14100
 </Location>

Save and close the ssl.conf file.

These changes will be activated the next time you re-start the ohs on IDM, do not re-start the OHS until all the configuration changes have been completed.

Update OAM Configuration

We now need to update the OAM configuration which can be done using the oamconsole.You can reach this console with : http://your_idm_servername:your_port/oamconsole in our example that is : http://ateamref-idm.us.oracle.com:7777/oamconsole.

oamconsole1

Click on System Configuration -> Access Manager Settings

oamconsole2

Double click on Access Manager Settings in the left hand pane

oamconsole3

Change the OAM Server Protocol from http to https and the OAM Server Port from 7777 to 4443. The click on Apply on the upper right side

oamconsole4

Click on the triangle before SSO Agents on the left side, then doubleclick on OAM Agents. In the screen that appears please click on search button

oamconsole5Click on OraFusionApp_11AG

oamconsole6

Change the Logout Redirect URL from : http://ateamref-idm.us.oracle.com:7777/oam/server/logout  to https://ateamref-idm.us.oracle.com:4443/oam/server/logout

Click Apply to save the changes.

Now switch back to the OAM Agents screen by clicking on that tab again and click on Webgate_IDM_11g

oamconsole7

Change the Logout Redirect URL from : http://ateamref-idm.us.oracle.com:7777/oam/server/logout to https://ateamref-idm.us.oracle.com:4443/oam/server/logout

Click Apply to save the changes.

To activate these changes restart all the IDM middleware components.

FA Configuration Changes

Changes are required to the jps-config.xml and mdm-url-resolver.xml file both are located in the same directory /config/fmwconfig under the CommonDomain home $CommonDomain.

Update the FA Common Domain jps-config.xml

The first file we need to change is in the file jps-config.xml. First make a backup of this file and then open it in an editor of your choice.

Search for the string : “imp.begin.url”. You should find the line below

<property name="imp.begin.url" value="http://ateamref-idm.us.oracle.com:7777/oam/server/impersonate/start"/>

Update the entry with your SSL port

<property name="imp.begin.url" value="http://ateamref-idm.us.oracle.com:4443/oam/server/impersonate/start"/>

Then search for the string : “imp.end.url”. You should find the line below

<property name="imp.end.url" value="http://ateamref-idm.us.oracle.com:7777/oam/server/impersonate/end"/>

Update the entry with your SSL port

<property name="imp.end.url" value="https://ateamref-idm.us.oracle.com:4443/oam/server/impersonate/end"/>

Then save and close this file.

Update in FA Common Domain mdm-url-resolver.xml

Now we will do some changes in mdm-url-resolver.xml. Again please make a backup of this file and then open it in an editor of your choice.

Now search for the string : “OracleIdentityManagementApp”

You should find 6 lines which look like this example:

 <entry key="OracleIdentityManagementAppExternalHostToken">ateamref-idm.us.oracle.com</entry>
 <entry key="OracleIdentityManagementAppExternalPortToken">7777</entry>
 <entry key="OracleIdentityManagementAppExternalProtocolToken">http</entry>
 <entry key="OracleIdentityManagementAppHostToken">ateamref-idm.us.oracle.com</entry>
 <entry key="OracleIdentityManagementAppPortToken">7777</entry>
 <entry key="OracleIdentityManagementAppProtocolToken">http</entry>

If the lines with the hostname fit your hostname for idm ohs ssl you do not have to change them. But you have to change the lines with port 7777 to port 4443. Then you need to change the protocol lines from http to https

<entry key="OracleIdentityManagementAppExternalHostToken">ateamref-idm.us.oracle.com</entry>
 <entry key="OracleIdentityManagementAppExternalPortToken">4443</entry>
 <entry key="OracleIdentityManagementAppExternalProtocolToken">https</entry>
 <entry key="OracleIdentityManagementAppHostToken">ateamref-idm.us.oracle.com</entry>
 <entry key="OracleIdentityManagementAppPortToken">4443</entry>
 <entry key="OracleIdentityManagementAppProtocolToken">https</entry>

If you have finished these changes save and close the file.

To get everything working correct you should do a complete stop and start of the whole fa environment (including idm).

Summary

Our recommendation is that SSL is always enabled and if you have not done so then please use the steps in this post to enable SSL post provisioning.

Add Your Comment