| Agile Product Lifecycle Management Administrator Guide Release 9.3.6 E71145-18 |
|
 Previous |
 Next |
| Agile Product Lifecycle Management Administrator Guide Release 9.3.6 E71145-18 |
|
Previous |
Next |
Agile PLM can be integrated with several different Single-Sign-On (SSO) solutions.
Once an SSO solution has been configured and enabled in an Agile PLM environment, a user that has already signed into the system once (for instance, through an SSO-enabled corporate portal) is not prompted again with a "login" dialog in that environment in cases such as:
Launching Web Client
Clicking on a URL for an email notification
When launching the Microsoft Excel-based Solution from a Declaration
When Web Client times out.
|
Note: SSO solutions are web-based solutions and thus can be enabled only for Agile PLM Web Client access. SSO cannot be used for non-web-based interfaces such as the Agile PLM Java Client and SDK. |
Single Sign-on integrates with the centralized security management, other business and training applications, and improves user productivity in Agile Web Client environment.
SAML2 SSO can be used to implement multi-factor authentication (i.e. MFA, 2FA, etc.) for Agile PLM by configuring and enabling additional authentication factors in the SAML2 Identity Provider.
The sections below give a general overview of Single Sign-On in Agile PLM, followed by steps to configure and deploy SSO with either SAML2, OAM or Windows NTLM.
Configuring SSO with a SAML 2.0 Identity Provider for Agile PLM involves two elements:
Configuring Agile PLM as a SAML 2.0 Service Provider (SP)
To perform this configuration, follow the steps in section [1] below.
Configuring a SAML 2.0 Identity Provider (IdP, for example, Oracle IDCS or Okta) for Agile PLM
To perform this configuration using Oracle IDCS, follow the steps in section [2-IDCS] below.
To perform this configuration using Okta, follow the steps in section [2-Okta] below.
To Configure Agile PLM as a SAML 2.0 Service Provider:
Log into the WebLogic Server Console as an administrator.
Click Lock & Edit.
Click Security Realm.
Click AgileRealm.
C1ick Providers, and then click New.
Enter AgileSAML2IA as Name, select SAML2IdentityAsserter as Type, and then click OK.
On the Providers page, click New.
For Name, enter AgileSAMLAT. For Type, select SAMLAuthenticator. Click OK. The new Provider is displayed in the Authentication Providers table.
Click Reorder.
Order the providers as follows:
AgileSAML2IA
AgileSAMLAT
TrustServiceIdentityAsserter
AgileAuthenticator
DefaultAuthenticator
Click OK.
Click AgileSAMLAT.
For Control Flag select OPTIONAL and then click Save.
Click Activate Changes.
Restart the all WebLogic servers in the domain.
Locate the RCU schema connection information - the JDBC URL, JDBC driver, schema user and password (e.g in file <AgileHome>/agileDomain/config/jdbc/opss-auditview-jdbc.xml).
Open SQLPlus using the RCU schema information from step 1 and run the SQL script located in file <FMW_HOME>/wlserver/server/lib/rdbms_security_store_oracle.sql.
Log into the Weblogic console as the administrator and enable the RDBMS security store by entering the RDBMS connection information ( Home > Summary of Security Realms >myrealm--(Configuration --> RDBMS Security Store)).
|
Note: Input the schema password in plain text. Do not use an encrypted password. The password will be encrypted when it is saved. |
Click Save and Activate Changes and restart WebLogic Servers if necessary.
Log into the WebLogic Server Console as an administrator.
Click Lock & Edit.
Click Security Realm.
Click AgileRealm.
Click Providers, click AgileSAML2IA, and click the Management tab.
Click the New drop-down and select New Web Single Sign-On Identity Provider Partner.
Enter a name in the Name field (e.g. WebSSO-IdP-Partner-1) and then select the IDP XML metadata configuration file which you received from the IdP, then click Ok.
Click the newly created IdP (e.g. WebSSO-IdP-Partner-1)
Set the Enabled checkbox and input the following Redirect URIs:
|
Note: In this configuration, the /Agile/default/login-cms.jsp URI can be used for non-SSO logins. |
Click Save and then click Activate Changes.
This section requires that you define a SAML signing key to be used to sign the SAML assertion in an "identity keystore" and that this key be trusted meaning that the key and/or trust chain appears in the "trust keystore".The following steps describe how one might create and configure a new keystore with a new key to be used as the SAML signing key.
Generate Keystore
Generate a JKS keystore and SSO signing key (below is an example keytool command)
keytool -genkey -keypass welcome1 -keystore SpIdentity.jks -storepass welcome1 -keyalg rsa -alias sp
|
Note: It may be necessary to convert the key to PKCS12 format. |
|
Note: The "keytool" command with the "-list" option can be used to review the contents of the keystore and the format of the key. |
|
Note: In a cluster, the keystore must be accessible to each machine running a managed server. |
The following steps describe how to configure the new keystore created in the previous step as a Custom Identity Keystore with a Custom Trust Keystore. This example assumes that the Java Standard Trust Keystore is not needed to establish trust for SAML signing key or any SSL certificates.
|
Note: If SSL is configured then note that the trust keystore is shared between SSL and SAML so there must be a single keystore defined to WebLogic Server that contains trust chain for both the SSL certificate(s) and the SAML signing key. |
Configure Keystores
Log into the WebLogic Server console as an administrator.
Click Lock & Edit.
|
Note: in a cluster, the following steps must be performed for each managed server. |
Click on Environment and then Servers and then click on the WebLogic server name.
Under the Configuration tab, click the Keystores sub tab.
Click the Change button and select Custom Identity and Custom Trust.
For Custom Identity Keystore, enter the path to the JKS file generated earlier (e.g. file SpIdentity.jks in the example keytool command above).
For Custom Identity Keystore Type, enter jks.
Enter and confirm the Custom Identity Keystore Passphrase (e.g. welcome1 in the example keytool command above).
Configure the Custom Trust Keystore and then click Save.
Under the Configuration tab, click the Federation Services sub tab and then click the SAML 2.0 General sub tab.
Fill the fields in the Site Info section. For Published Site URL, use the protocol/host/port used to access the application (in a cluster, this would be the URL for the load-balancer virtual server) and add the URI /saml2 (e.g. https://agileplm.mydomain.com/saml2). Note: this implies that the proxy and/or load-balancer must pass requests for the /saml2 context to the [managed] server(s).
In the Single Sign-On section, for Single Sign-on Signing Key Alias enter the key alias (e.g. sp in the example keytool command above). Enter and confirm the Single Sign-on Signing Key Pass Phrase (e.g. welcome1 in the example keytool command above).
Click Save.
[OPTIONAL] Click Publish Meta Data to save the SP metadata to a file (e.g. for use when registering Agile PLM as a SP with your IdP).
Under the Configuration tab, click the Federation Services sub tab and then click the SAML 2.0 Service Provider sub tab.
Set the Enabled checkbox. In the Default URL field, input the Agile PLM web client URL (https://agileplm.mydomain.com/Agile/PLMServlet).
Click Save and then click Activate Changes.
To configure Oracle IDCS as an IdP for Agile PLM:
Log into the Oracle Identity Cloud Service console as an administrator.
Expand the Navigation Drawer, click Applications, and then click Add.
Click SAML Application.
On the Details tab, enter a Name for the SAML application (e.g. Agile PLM 9.3.6 Dev).
On the SSO Configuration tab, provide the information as follows (in the URL examples below, replace https://myhost.mydomain.com with the protocol/host/port from the Web Server URL used to access Agile PLM):
Table A-1
| Information | Values |
|---|---|
|
[General] |
|
|
Entity ID |
https://myhost.mydomain.com/spentityid |
|
Assertion Consumer URL |
https://myhost.mydomain.com/saml2/sp/acs/post |
|
NameId Format |
Unspecified |
|
NameId Value |
User Name |
|
Signing Certificate |
<upload the signing certificate> |
|
[Advanced Settings] |
|
|
Signed SSO |
Assertion and Response |
|
Include Signing Certificate in Signature |
<checked> |
|
Signature Hashing Algorithm |
SHA-256 |
|
Note: In the table above, Entity ID is simply a globally unique identifier. By convention, a URL is typically used for Entity ID. If a URL is used, it is simply a string and does not need to be resolvable. |
Define users and groups on the Users and Groups tabs. Make sure that the user's Login ID exists in Agile PLM. Assign the users and groups to the application.
To configure Okta as an IdP for Agile PLM:
Log into Okta Admin.
Navigate to Applications and click Add Application. Then click Create New App.
For Platform choose Web. For Sign on Method, select SAML 2.0. Click Create.
Input General Settings information.
For the Configure SAML step, input SAML Settings as follows (in the URL examples below, replace https://myhost.mydomain.com with the protocol/host/port from the Web Server URL used to access Agile PLM):
Table A-2
| Information | Values |
|---|---|
|
[General] |
|
|
Single sign on URL |
https://myhost.mydomain.com/saml2/sp/acs/post |
|
Use this for Recipient URL and Destination URL |
<checked> |
|
Allow this app to request other SSO URLs |
<unchecked> |
|
Audience URI aka Audience Restriction (SP Entity Id) |
https://myhost.mydomain.com/spentityid |
|
Default RelayState |
<blank> |
|
Name ID Format: |
Unspecified |
|
Application username: |
Okta username |
|
Note: In the table above, SP Entity ID is simply a globally unique identifier. By convention, a URL is typically used for Entity ID. If a URL is used, it is simply a string and does not need to be resolvable. |
Continue to complete the creation of the application.
Click the Sign On tab of the newly created application. Click Identity Provider Metadata to download the IdP metadata profile file.
Update agile.properties adding the following property/value pair and restart the WebLogic server(s).
saml.sso.enabled=true
|
Note: In a cluster, agile.properties must be updated and WebLogic managed server(s) restarted on each host having a managed server. |
When configuring the Federation Service and attempting to Publish Meta Data, you may encounter error message SAML2Service Unavailable.
The workaround is to remove the Single Sign-on Key Alias and Pass Phrase, in the SSL configuration tab of the server, input the private key alias and password in the Federation Service->SAML 2.0 General tab, and restart the server. Then re-enter the Single Sign-on Key Alias and Pass Phrase, Save and Activate Changes.
When configuring the Identity Provider you may encounter error message No SAML2 service identity ID configured.
The solution is to configure the SAML2 service entity ID in the Federation Service configuration.
Oracle Access Manager (OAM) ensures authentication and strict authorization policies are applied to your applications and services such as:
Controlled access to web applications, Enterprise Java Beans (EJB) applications, J2EE resources, and common packaged enterprise applications.
Web SSO for secure access to multiple applications with one authentication step.
Flexible authentication support.
Agile PLM 9.3.6 is certified with OAM (11gR2) suite of products.
This section covers Oracle Access Manager (OAM) 11gR2 configuration with Agile PLM.
Perform the prerequisite steps, and then perform the configuration steps as explained in the following sections.
Ensure the following components have been downloaded and installed.
Installed, configured and tested IIS 8.5 web server with Agile PLM 9.3.6. You can refer to the Knowledge Base for details.
Download OAM WebGate 10g and 10gPatch 13 for IIS from the site:
http://www.oracle.com/technetwork/middleware/ias/downloads/101401-099957.html
Get oam_int_win_v12_cd1.zip from disk11 for Windows.
Extract and start installation using Oracle_Access_Manager10_1_4_3_0_CR2_Win64_ISAPI_WebGate.exe
Now install OAM WebGate 10g on the same system where IIS 8.5 web server has been installed.
Download Webgate10g patch13 (p18708753_10143_MSWIN-x86-64.zip from Disk11) from OTN for Microsoft Windows and install.
Ensure that IIS8.5 is installed with all Role Services. If not, you can add those from Server Manger. Navigate to Web Server, right click, Add Role Services. Add all role services. You can refer to the Knowledge Base for details.
The following sections/main steps explain the configuration of the OAM 11gR2 Server with the Agile PLM 935 application:
To perform OAM WebGate Agent registration in OAMServer:
Create a WebGate entry on OAM console through UI mode Steps:
Click New OAM WebGate 10g in welcome page.
Enter the Name. The host identifier will populate automatically.
Click Apply.
The following steps must be performed after the installation of OAM10g WebGate for IIS 8.5 web server:
Navigate to Site-ISAP Filters tab and add Filter OracleWebGate point to webgate.dll.
Navigate to Site.
Right-click Add Application.
Give alias name as access and point physical path to Web Gate\access folder.
Navigate to Host Level.
Click ISAPI and CGI Restrictions.
Click Add.
Add the path to webgate.dll and type description as OracleWebGate.
Select check box Allow extension path to execute.
Click OK.
Navigate to Web Gate/access.
Right click Properties.
Navigate to Security.
Assign Full Control to Everyone.
Restart IIS.
To configure WebLogic proxy for IIS 8.5 web server:
Ensure that you have installed and configure the WebLogic proxy plug-in patch for IIS 8.5 web server.
Download the WLS12.2.1.1 Proxy Plugin WLSPlugin12.2.1.1-IIS-Win64.zip from the location:
http://www.oracle.com/technetwork/middleware/webtier/downloads/index.html
Extract the plug-in zip to location C:\myhome\weblogic-plugins-1.1.
|
Note: This will be referred as the variable PLUGIN_HOME going forward. |
Create iisproxy.ini file in %PLUGIN_HOME%\lib\ with below details:
WebLogicHost=wls-host
WebLogicPort=wls-port
Debug=ALL
WLLogFile=C:\Temp\wl-proxy.log
WLExcludePathOrMimeType=/obrar.cgi
Ensure that the %PLUGIN_HOME%\lib is included in the system PATH
(Control-Panel > System > System Properties > Environment Variables > System Properties > PATH)
Open IIS Manager, use 'Default Web Site' or create a 'Web Site' based on your needs.
Click the site.
Open 'Handler Mappings' and add a script map
Set the 'Extension' like '/Agile/*'
Set 'Executable' to %PLUGIN_HOME%\lib\iisproxy.dll
Give a 'Name'
Create the Script Map:
In the handler mapping, Open Above Added script map.
Click Request Restrictions, Mapping tab.
Uncheck "Invoke handler only if the request is mapped to"
Click OK.
Click Yes in Edit Script Map prompt.
Create new directory oamsso under
<IIS inetpub>\wwwroot\
and copy file logout.html to oamsso folder from OAM server
<Middleware Home>\user projects\domains\oam_domain\output\<935IIS Agent>
Navigate to Host Level and click on ISAPI and CGI Restrictions and click on Add, add the path to iisproxy.dll and select allow extension path to execute.
Open IIS Manager, use either 'Default Web Site' or create a 'Web Site'.
Click on the site.
Double-click on Request Filtering in right pane.
Click Edit Feature Settings in Actions pane.
In Edit Request Filtering Settings Dialog, change Maximum query string (Bytes) to:
4096
Click OK.
|
Note: If you need to add any protect and unprotect resources to work with specific functionality, then add those resource URLs as handler mappings by following the same process above. |
Restart IIS.
To configure OAM WebGate:
Add the authorization policy as below:
Navigate to OAM Console > Policy Configuration > Applications domain > Agent (Name of the Agent in this case) > Authorization Policies.
Open Protected Resources Policy.
Navigate to Response tab.
Add Response as below:
Name= remote-user
Type=Header
Value=$user.attr.dn
Click Apply.
Configure Resources for Web gate:
Add these resources with webroot context (in this case Agile):
Add resource URLs
/Agile
/Agile/…/*
with Authentication and Authorization policy as Protected Resource Policy.
Exclude the Resources for Gantt Chart.
You must exclude the below static resources to work on Gantt chart with WebGate. Also use the webroot context while creating Resources to exclude.
Navigate to OAM Console > Policy Configuration > Applications domain > Open WebGate10g Agents.
Click Resources.
In the Resources window, click Search.
Add the following Resource Types by using the Create button. IN the Create New page:
Select Type as HTTP.
Select the Host Identifier of the Web Gate Agent.
Type the Resource URL with webroot context.
Select Protection level as Excluded.
Add the resources as shown in the following figure.
Navigate to the WebLogic console where the Agile application is installed and create AgileIdentityAsserter.
In WLS Console:
Click Lock and Edit.
Move to Summary of Security Realms >AgileRealm >Providers.
Click New.
Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider.
Open the added AgileIdentityAsserter.
Select the Active type as remote-user and Save.
Click Activate Changes.
Logout from the console.
Open agile.Properties file, and add the below settings:
oam.header.name=remote-user
oam.sso.logout.url=/oamsso/logout.html?end_url=/Agile/PLMServlet
|
Note: Where /Agile is the web-root context for the installed application. |
Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:
<auth-method>client-cert, form</auth-method>
Restart the WebLogic Application Server where the Agile Application is installed.
Configure LDAP Server (which is used as identity store in OAM) with Agile, Migrate LDAP Users into Agile Application and Activate LDAP users.
Login to Agile Java Client.
Navigate to the Location node.
Enter the Web Server Proxy URL.
Restart the File Manager.
Attempt to login to Agile Proxy URL with the IIS 8.5 web server port number as configured.
You should see the OAM Credentials page.
Enter the appropriate OAM (Configured LDAP Identity store user) username and password and the Agile application home page should be presented.
Perform the prerequisite steps, and then perform the configuration steps as explained in the following sections.
Ensure the following components have been downloaded and installed.
Download OHS 12.1.3 from the URL below:
http://www.oracle.com/technetwork/middleware/webtier/downloads/index-jsp-156711.html
Extrat the zip file and then run the .exe file.
Installation steps:
Find the Oracle Home, which is different than the Weblogic Home.
Choose Standalone HTTP Server (Managed independently of WebLogic server).
Ensure that all the checks are passed.
Click Next button next to the installation progress panel to install OHS.
Create an OHS instance:
Cd to $OHS_HOME\oracle_common\common\bin
Enter:
config.sh
to launch the Configuration wizard.
Choose:
Create a new domain
Check:
Oracle HTTP Server (standalone) - 12.1.3.0 [ohs]
Use the default JDK version:
Oracle HotSpot 1.7.0_51
Create:
Component ohs1
Define the following parameters:
Admin Host = OHS Server Host
Admin Port = 9999
Listen Port = 7777
SSL Listen Port = 4443
Enter the username and password for Node Manager. Use Oracle123!
Create the instance.
Configure the instance:
Go to the directory:
$OHS_HOME\user_projects\domains\base_domain\config\fmwconfig\components\OHS\ohs1
Edit:
mod_wl_ohs.conf
Add the information shown below:
<IfModule weblogic_module>
WebLogicHost <Agile-wls host>
WebLogicPort <Agile-wls port>
Debug ON
WLLogFile <Temp location>/weblogic.log
</IfModule>
<Location /Agile>
WLSRequest on
</Location>
<Location /JavaClient>
WLSRequest on
</Location>
<Location /CoreService>
WLSRequest on
</Location>
Start Node Manager:
Go to the directory:
$OHS_HOME\user_projects\domains\base_domain\bin
Run:
startNodeManager.cmd
Start OHS component by using the command:
startComponent.cmd ohs1'
WebGate should be installed by default once OHS1213 is installed.
The following sections/main steps explain the configuration of the OAM 11gR2 Server with the Agile 935 Application:
Create WebGate11g Agent in OAM Console:
A. The following steps are required to be performed post installation of WebGate 11g for OHS 12.3 Web Server on the Server where you installed your OHS and WebGate.
Deploy WebGate:
Go to the directory:
<OHSHOME>/webgate/ohs/tools/deployWebGate
Run the deployWebGateInstance.sh as below:
./deployWebGateInstance.sh -w <OHSHOME>/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1 -oh <OHSHOME>
You should see the following sample on the console:
Copying files from WebGate Oracle Home to WebGate Instancedir
Add to the PATH in Environment Variables:
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<OHSHOME>/lib
Update httpd.conf with the WebGate configuration:
Go to directory:
<OHSHOME>/webgate/ohs/tools/setup/InstallTools
Run the command below:
./EditHttpConf -w <OHSHOME>/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1 -oh <OHSHOME>
You should see the following sample on the console:
The web server configuration file was successfully updated
/scratch/qa/OHSHOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf has been backed up as /scratch/qa/OHSHOME/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf.ORIG
Copy the cwallet.sso and ObClientAccess.xml file from OAM Server:
From location <Middleware Home >\user_projects\domains\oam_domain\output\OHS11G in OAM Server
To OHS instance Web Gate directory:<OHSHOME>/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/webgate/config
B. Add the authorization policy:
Navigate to OAM Console > Policy Configuration > Applications domain > Agent (Name of the WebGate11g Agent in this case) > Authorization Policies.
Open Protected Resources Policy.
Navigate to Response Tab.
Add Response as below:
Name= remote-user
Type=Header
Value=$user.attr.dn
Click Apply.
C. Add user defined parameters for OHS 11g WebGate Agent in OAM Console:
Navigate to OAM Console > System Configuration > Access Manager Settings >S SO Agents > OAM Agents > WebGate 11G Agent.
Add the below parameters to User Defined Parameters attribute:
UniqueCookieNames=enabled
filterOAMAuthnCookie=false
Click Apply.
D. Configure resources for WebGate::
Add these resources with webroot context (in this case Agile):
Add resource URLs
/Agile
/Agile/…/*
with Authentication and Authorization policy as Protected Resource Policy.
Exclude the Resources for Gantt chart:
We Need to Exclude the below static resources to work on Gantt chart with WebGate. Also use the webroot context while create Resources to exclude.
Navigate to OAM Console > Policy Configuration > Applications domain > Open WebGate Agents.
Click Resources.
In the Resources window, click Search.
Add the following Resource Types using Create Button.
In Create New page:
Select Type as HTTP.
Select the Host Identifier of the Web Gate Agent.
Type the Resource URL.
Select Protection level, Authentication Policy.
Add the resources as shown in the following figure:
Navigate to the WebLogic console where the Agile application is installed and create AgileIdentityAsserter.
In WLS Console:
Click Lock and Edit.
Move to Summary of Security Realms >AgileRealm >Providers.
Click New.
Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider.
Open the added AgileIdentityAsserter.
Select the Active type as remote-user and Save.
Click Activate Changes.
Logout from the console.
Open agile.Properties file, and add the below settings:
oam.header.name=remote-user
oam.sso.logout.url=/oamsso/logout.html?end_url=/Agile/PLMServlet
|
Note: Where /Agile is the web-root context for the installed application. |
Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:
<auth-method>client-cert, form</auth-method>
Restart the WebLogic Application Server where the Agile Application is installed.
Configure LDAP Server (which is used as identity store in OAM) with Agile, Migrate LDAP Users into Agile Application and Activate LDAP users. See "Agile LDAP Configuration" to configure LDAP Server with Agile PLM.
Login to Agile Java Client.
Navigate to the Location node.
Enter the Web Server Proxy URL.
Restart the File Manager.
Attempt to login to Agile Proxy URL with the OHS1213 web server port number as configured.
You should see the OAM Credentials page.
Enter the appropriate OAM (Configured LDAP Identity store user) username and password and the Agile application home page should be presented.
Perform the prerequisite steps, and then perform the configuration steps as explained in the following sections.
Ensure the following components have been downloaded and installed.
Download Apache2.4 from Apache site and install/configure and test Apache2.4 with Agile 9.3.6 (Agile should be installed on WLS12.2.1.1). You can refer to the Oracle Knowledge Base for details.
Down load 11g R2 PS2 (11.1.2.2.0) Web Gate software V73670-01.zip for Apache 2.4.x from oracle OTN site and install it on the same system where Apache web server has been installed.
The following sections/main steps explain the configuration of the OAM 11gR2 Server with the Agile 936 Application:
You must add a WebGate Agent for the Apache Webserver in the OAM Server.
To perform OAM WebGate Agent registration in OAMServer:
Create a WebGate entry on OAM console through UI mode Steps:
Click on New OAM WebGate 11g in welcome page.
Enter the Name. The host identifier will populate automatically.
Click Apply.
OAM WebGate Configuration
You must perform the following steps post-installation of WebGate11g for Apache Web Server on the server where you installed Apache and WebGate.
Deploy WebGate:
Go to the directory:
WebGate_Oracle_Home/webgate/apache/tools/deployWebGate
Run the deployWebGateInstance.sh as below:
./deployWebGateInstance.sh -w <WebGate_Instancedir> -oh <WebGate_Oracle_Home> -ws apache
You should see the following sample on the console:
Copying files from WebGate Oracle Home to WebGate Instancedir
Add to the PATH in Environment Variables:
export LD_LIBRARY_PATH=<WebGate_Oracle_Home>/webgate/apache/lib
Go to WebGate_Oracle_Home/webgate/apache/tools/setup/InstallTools
Run the command below:
./EditHttpConf -f <Apache Home>/conf/httpd.conf -w <WebGate_Instancedir> -oh <WebGate_Oracle_Home> -ws apache24
You should see the following sample on the console:
The web server configuration file was successfully updated.
/scratch/Software/httpd-2.4.10/conf/httpd.conf has been backed up as /scratch/Software/httpd-2.4.10/conf/httpd.conf.ORIG
Copy the cwallet.sso and ObClientAccess.xml file from OAM Server:
From location <Middleware Home >\user_projects\domains\oam_ domain\output\OHS11G in OAM Server to WebGate_Instance_Home/webgate/config
Add the authorization policy:
Navigate to OAM Console > Policy Configuration > Applications domain > Agent (Name of the WebGate11g Agent in this case) > Authorization Policies.
Open Protected Resources Policy.Navigate to Response Tab.Add Response as below:
Name= remote-user
Type=Header
Value=$user.attr.dn
Click Apply.
Add user defined parameters for OHS11g WebGate Agent in OAM Console:
Navigate to OAM Console > System Configuration > Access Manager Settings >S SO Agents > OAM Agents > WebGate 11G Agent.
Add the below parameters to User Defined Parameters attribute:
UniqueCookieNames=enabled
filterOAMAuthnCookie=false
Click Apply.
Configure Resources for WebGate:
Add these resources with webroot context (in this case Agile):
Add resource URL's ” /Agile, /Agile/…/* ” with Authentication and Authorization policy as Protected Resource Policy
Exclude the Resources for Gantt chart:
We need to exclude the below static resources to work on Gantt chart with WebGate. Also use the webroot context while create Resources to exclude.
Navigate to OAM Console > Policy Configuration > Applications domain > Open WebGate Agents
Click Resources.
In the Resources window, click Search.
Add the following Resource Types using Create Button. In Create New page:
Select Type as HTTP.
Select the Host Identifier of the WebGate Agent.
Type the Resource URL with webroot context
Select Protection level as Excluded
Add the resources as below:
Navigate to the WebLogic Administration console where the Agile application is installed and create AgileIdentityAsserter.
In WLS Console, click Lock and Edit.
Move to Summary of Security Realms >AgileRealm >Providers.
Click New and Create AgileIdentityAsserter Authentication with "AgileIdentityAssertion" Provider.
Open the added AgileIdentityAsserter.
Select the Active type as remote-user and then Save.
Click Activate Changes and logout from the console.
Open agile.Properties file, add the below settings:
oam.sso.logout.url=/oamsso/logout.html?end_url=/Agile/PLMServlet
|
Note: .Where /Agile is the root context or virtual path for the Agile PLM application. |
Open the Web.xml (\application.ear\application.war\WEB-INF\ web.xml) and change auth-method as below:
<auth-method>client-cert, form</auth-method>
Restart the WebLogic Application Server where the Agile Application is installed.
Configure LDAP Server (which is used as identity store in OAM) with Agile.
Migrate LDAP Users into Agile Application and Activate LDAP users. For more information, see "Agile LDAP Configuration" to configure LDAP Server with Agile.
Login to Agile Java Client.
Navigate to Location node.
Enter Web Server Proxy URL.
Restart the File Manager.
Attempt to login to Agile Proxy URL with the Apache web server port number as configured.
You should see the OAM Credentials page.
Enter the appropriate OAM (configured LDAP Identity store user) username and password and the Agile application home page should be presented
The following sections outline the steps to configure and deploy NTLM for Single sign-on capability.
Microsoft Windows NTLM has been certified for Agile PLM. Discuss your company's needs with your Oracle Consulting - Agile Practice representative.
These are the steps to configure Windows NTLM for Single sign-on with Internet Information Services (IIS) as proxy server for WLS.
|
Note: The prerequisite for this configuration is that the Windows server on which IIS is running has been joined to a Windows domain. "Microsoft Active Directory" is the name of the Windows Domain controller since Windows 2000. |
Install and enable Windows Authentication in IIS for site to use Windows NT LAN Manager for authentication:
Navigate to Administrative Tools > Service Manager.
Navigate to Roles > Web Server
Right-click Add Role and Install Windows Authentication.
Navigate to IIS.
Click Default Site.
Double-click Authentication.
Enable Windows Authentication.
Disable Anonymous Authentication.
In Site Authentication page, select Windows authentication.
Click Providers.
Make NTLM Provider as First.
Open IIS Manager, use Default Web Site.
Click the site.
Double-click Request Filtering in right pane.
Click Edit Feature Settings in the Actions pane.
In Edit Request Filtering Settings Dialog, change Maximum query string (Bytes) to 4096 and then click OK.
Restart IIS.
|
Note: Agile 936 PLM with WLS 12.2.1.1 must be installed and IIS7.5/IIS8/IIS8.5 Proxy configuration must be completed before proceeding to further steps. |
Install and configure the WebLogic plug-in patch.
Downloaded the WLS12.2.1.1 Proxy Plugin WLSPlugin12.2.1.1-IIS-Win64.zip from the location
http://www.oracle.com/technetwork/middleware/webtier/downloads/index.html
Extract the plug-in zip to location
C:\myhome\weblogic-plugins-1.1
Create iisproxy.ini file in %PLUGIN_HOME%\lib\ with the settings below:
WebLogicHost=wls-host
WebLogicPort=wls-port
Debug=ALL
WLLogFile=C:\Temp\wl-proxy.log
Ensure that the %PLUGIN_HOME%\lib is included in the system PATH:
Control-Panel > System > System Properties > Environment Variables > System Properties > PATH
Open IIS Manager; use Default Web Site or create a Web Site.
Click the site.
Open Handler Mappings and add a script map:
Set the Extension to like '*'
Set Executable to %PLUGIN_HOME%\lib\iisproxy.dll, and give a Name.
Start IIS.
Download IIS ARR v3.0 from the URL below
http://www.iis.net/downloads/microsoft/application-request-routing
After installing successfully, go to IIS Home. Note that there is a new feature under the ISS section: Application Request Routing Cache. There is also a new node on the left panel.
Right-click Server Farms and choose Create Server Farm.
Add a server farm.
Enter a name.
Select the option: Online.
Click the Next button.
Add the Agile server addresses that require a proxy.
Select the option: Online.
Click Advanced Settings.
Change the http port to an Agile port.
After adding all the Agile servers, then click the Finish button.
Click Yes in the Rewrite Rules popup.
Click the Server Farm you created in steps 2 and 3 above.
Double-click Caching on the right panel.
Deselect the option: Enable disk cache.
Click Apply.
Click the Server Farm again.
Double-click Health Test.
Enter the URL.
Click the Verify URL Test button.
If the test result is pass, then click Apply.
Click the Server Farm again.
Double-click Routing Rules.
Select the option: Use URL Rewrite to inspect incoming requests.
Deselect the option: Enable SSL offloading.
Click Apply.
Go to <Agile_Home>/ agileDomain/config and open the agile.properties file for editing.
Change the configuration for network.resolvehost to false.
Start Agile PLM.
IIS8 can act as a proxy for Agile PLM successfully.
A. To configure your PLM system for SSO with NTLM, perform these operations.
|
Important: Stop the Agile Server. For information on how to stop the Agile PLM server, see the Agile PLM Database Install Guide. |
In the WLS console, go to Summary of Security Realms > AgileRealm > Providers.
Click New and add "AgileIdentityAsserter" as the AgileRealm Authentication Provider.
Open the added AgileIdentityAsserter, select the Active type as Authorization (the AGILESSO is already a default value there). Both should be selected.
Click Save, then click Activate the Changes, and then logout from the console.
Stop the Application server.
B. Edit this file:
agile_home/agileDomain/applications/application.ear/application.war/WEB-INF/web.xml.
WLS12.2.1.1 supports multiple authentication methods. Add the following elements:
<login-config>
<auth-method>client-cert, form</auth-method>
<realm-name>AgileRealm</realm-name>
<form-login-config>
<form-login-page>/default/login-cms.jsp</form-login-page>
<form-error-page>/default/loginError.jsp</form-error-page>
</form-login-config>
</login-config>
C: Perform the following setting modifications for the action "CLICK ON LOGIN UPON LOGOUT SHOULD LOGIN AUTOMATICALLY IN SSO ENABLE SYSTEM".
Edit this file:
agile_home/agileDomain/config/agile.properties
Set the agile.sso.enabled value in agile.properties to the following:
agile.sso.enabled= true
Set the agile.sso.cookie.name in agile.properties to the following:
agile.sso.cookie.name=AGILESSO
|
Note: Manually add agile.sso.enabled property in the agile.properties file located in agile_home/agileDomain/config and set the value to true. |
D. Restart the Agile server.
E. Ensure that NT user name and password exist in DB:
Ensure that the NT user name and password exist in the DB to which the application is connected (by migrating from Microsoft Active Directory Domain LDAP Server. Refer to "LDAP" for information about configuring the LDAP server, migrating users and activation) to which the application is connected.
F. Set Web Server Proxy URL in Agile PLM Administrator:
Log in to Java Client as administrator.
Navigate to the Location node.
Enter the Web Server Proxy URL.
Restart the File Manager.
G. Attempt to access the Proxy URL in your Windows computer:
In IE browser, it should automatically login to Agile PL M.
In Firefox browser, it will ask for your network credentials only for the first time access.
If the Recipe & Material Workspace application is configured with the Agile 9.3.x SSO environment, the system administrator needs to update the Agile Proxy (SSO) URL in the CFMConfig.xml of "<AgileHome>\AgilePharma\config".
The entry must be changed to read:
<AgileSSOProxyUrl> </AgileSSOProxyUrl>
For more information about the system configuration of Agile Recipe & Material Workspace, see the Agile PLM Recipe & Material Workspace Administrator Guide.
The following are possible SSO deployment scenarios with NTLM, one for secure proxy and one for transparent or no proxy.
With this deployment, authentication takes place on the proxy server, so it is recommended for those companies that use a proxy server.
Request flow with this deployment:
User launches browser to access Agile PLM (for example, http://agileplm.xyz.com/Agile/PLMServlet).
The NTLM-enabled IIS server challenges the browser for credentials.
After a successful NTLM handshake, the request reaches Agile Application Server (AAS) agent with user information.
NTLM is a connection-based authentication protocol. For each new socket connection between client and server (or proxy), it has to exchange credentials by sending and responding to HTTP requests and responses.
The AAS agent passes the user information to the application server security framework.
The user will be allowed to access Agile applications.
This authentication happens whenever the client sends an HTTP POST request; therefore, authentication can re-occur even during an established user session.
Request flow with this deployment:
User launches browser to access Agile (for example, http://agileplm.xyz.com/Agile/PLMServlet).
The Agile Application Server (AAS) agent installed on server challenges the browser for credentials.
After a successful NTLM handshake, the AAS agent passes the user information to the application server security framework.
The user will be allowed to access Agile applications.
