OAM 11g – UCM Integration

Introduction

I have been involved with many customer’s who are integrating OAM 11g with Universal Content Manager 11g (UCM) and I know that trying to follow the OAM documentation can be daunting. So I put together my own integration document/Blog. Not to re-invent the wheel, this post utilizes what we already have in terms of documentation. Think of this as a checklist and the steps that I implemented to get my own internal environment working.

Main Article

Prerequisites

  1. 1) Install and configure UCM
  2. 2) Install a weblogic plug-in on OHS that fixes a bug for UCM. http://www.oracle.com/technetwork/middleware/ias/downloads/wls-plugins-096117.html

High Level Steps/Checklist

  1. 1) Configure an OHS server to proxy all request to UCM (/cs, /adfAuthentication and /_ocsh).
  2. 2) Register a webgate with the URL’s you want to protect.
  3. 3) Configure an OAM Identity Asserter and LDAP/OVD provider in Weblogic.
  4. 4) Validate users can access UCM with WLS Security.
  5. 5) Install a webgate on OHS server and validate.

Detail Steps

Follow the documentation to configure OAM Access Manager 11g with Oracle UCM, Section 5.2.3.1: http://download.oracle.com/docs/cd/E21764_01/doc.1111/e10792/c03_security.htm#CDDHGCCC

The documentation is not clear whether to install the Webgate on the OHS server first. Recommend to install the webgate at the end.

5.2.3.1 – Configuring Oracle Access Manager 11g with Oracle UCM
1.a. In our use case, we only need to protect the UCM URI’s below.

# UCM Content Server
<Location /cs>
   SetHandler weblogic-handler
   WebLogicHost <hostname>
   WebLogicPort <portnumber>
</Location>
# UCM Content Server authentication
<Location /adfAuthentication>
   SetHandler weblogic-handler
   WebLogicHost<hostname>
   WebLogicPort <portnumber>
</Location>
#UCM online help
<Location /_ocsh>
   SetHandler weblogic-handler
   WebLogicHost <hostname>
   WebLogicPort <portnumber>
</Location>

b. Use the remote registration tool oamreg as follows in section 15.2.2.2:

http://download.oracle.com/docs/cd/E21764_01/core.1111/e100/osso_b_oam11g.htm#JISEC9104

15.2.2.2 – Provision with 11g Webgate
1. Acquire the tool
a. The rreg tool can be found and executed on the same box where OAM is installed. No need to un-tar.
2. Created a new UCM-Request.xml:

<OAM11GRegRequest>
   <serverAddress>http://ateam-hq66.us.oracle.com:7003</serverAddress>
   <hostIdentifier>UCM-INT</hostIdentifier>
   <agentName>UCM-INT</agentName>
   <protectedResourcesList>
   <resource>/adfAuthentication</resource>
   </protectedResourcesList>
   <publicResourcesList>
   <resource>/cs</resource>
   <resource>/_ocsh</resource>
   </publicResourcesList>
</OAM11GRegRequest>

3. On the command line, execute the following:

./bin/oamreg.sh inband input/UCM-Request.xml

When asked to enter the admin and password, make sure the user is part of the system store you configured for OAM (e.g testuser1/welcome1)

2. Continuing Section 5.2.3.1

You can configure the OAM Asserter and LDAP/OVD Authenticator before installing a webgate. Once the LDAP/OVD authenticator is configured, recommend to test UCM and make sure that you can bind to a user that is created within the provider you configured.

The order of the provider’s should be as follows:


OAM Identity Asserter
The following ‘Common’ parameters should be set as:

Leave the default values for the ‘Provider Specific’ tab.


OVD Provider
‘Common’ tab’


‘Provider Specific’ tab:

Based on the back-end LDAP repository, make sure that you specify the correct object class and user name attribute within the LDAP filters. In our case, we used ‘inetorgperson’ and ‘uid’ for a user object and ‘groupofuniquenames’ and ‘uniqumembers’ for groups.

o

 

3. After Installing and configuring OAM 11g.

Recommend installing the webgate now. No good links in the documentation to install webgate 11g. Use the following: http://download.oracle.com/docs/cd/E21764_01/install.1111/e12002/webgate.htm#CACCBCFF

Section 20.2.4
You will need the gcc libraries. Can get them here:
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html
Look for ‘GCC Libraries for Oracle Identity Federation’

Use the following cpio file to extract the gcc libraries:

cpio -idvm <cpio-file><cpio_file>

Section 20.4
Step 2 – Ran the command:

./deployWebgateInstance.sh –w /u0/Oracle/Middleware11.1.1.5/Oracle_WT1/instances/instance1/config/OHS/ohs1 -oh /u0/Oracle/Middleware11.1.1.5/Oracle_OAMWebgate1

Step 3

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/Oracle/Middleware11.1.1.5/Oracle_WT1/lib

Step 5 – Ran the command:

./EditHttpConf –w /u01/Oracle/Middleware11.1.1.5/Oracle_WT1/instances/instance1/config/OHS/.ohs1

b. Next you will need to copy the artifacts that were generated in step 3 from section 15.2.2.2. Copy the ‘ObAccessClient.xml’ and ‘cwallet.sso’ located in the ‘output/UCM-INT’ directory under ‘rreg’ to the /config directory.

Webgate installation completed. Make sure that the OAM managed server is running and restart the OHS server.


Trouble shooting tips:

Cannot login via OAM – A few things to verify:

  • Make sure that the LDAP Authentication Module in the OAM console is pointing to the correct data store.
  • Make sure that the OVD provider in WLS matches the same OAM data store configuration.
  1. Login looping issue
  • In some cases we see a looping issue when using IE when the time sync of off between the webgate machine and the OAM server machine.
  1. Logout not working
  • Please follow the instructions to configure UCM logout with OAM. http://download.oracle.com/docs/cd/E17904_01/doc.1111/e14770/ucm.htm#ASRLA3579

In my next post, I will continue to integrate my OAM environment to include the Image Processing Management (IPM) tool, which requires UCM.

Add Your Comment