App Server SSO LDAP on 11g
We are currently running App Server using OID & SSO version 10.1.2.3 in a high availability environment. We have a project to migrate these applications to new hardware and are considering installing Fusion Middleware App Server 11g (on Linux 64bit). Does anyone have any comments or concerns regarding SSO or OID on App Server 11g?
Take a look at this thread The Future of Oracle Single Sign-On 10g (10.1.4.3) ????
You can have OID 11g in your FMW installation but you will have to maintain a separate instance for SSO 10g patched up to 10.1.4.3.
Similar Messages
-
Error in LDAP Authentication for Sun One App Server 8..pls help
I need to authenticate my sun java system application server 8 with openldap server.....
i have added ldap realm as given in the administrators guide http://docs.sun.com/source/817-6088/security.html
My settings in the sun app server were like this:
Realm: ldap
Class Name: com.sun.enterprise.security.auth.realm.ldap.LDAPRealm
directory ldap://10.1.1.79:389
base-dn o=stooges
jaas-context ldapRealm
search-bind-dn cn=StoogeAdmin,o=stooges
search-bind-password secret1
My openldap schema is as follows
file : /etc/openldap/slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
database ldbm
suffix "o=stooges"
rootdn "cn=StoogeAdmin,o=stooges"
rootpw secret1
directory /var/lib/ldap/stooges
defaultaccess read
schemacheck off
lastmod on
index cn,sn,st pres,eq,sub
index uid,userPassword eq
file : /var/lib/ldap/stooges/stooges.ldif
dn: o=stooges
objectClass: top
objectClass: organization
o: stooges
description: The Three Stooges
dn: cn=StoogeAdmin,o=stooges
objectClass: organizationalRole
cn: StoogeAdmin
description: LDAP Directory Administrator
dn: ou=MemberGroupA,o=stooges
ou: MemberGroupA
objectClass: top
objectClass: organizationalUnit
description: Members of MemberGroupA
dn: ou=MemberGroupB,o=stooges
ou: MemberGroupB
objectClass: top
objectClass: organizationalUnit
description: Members of MemberGroupB
dn: uid=vikram,ou=MemberGroupA,o=stooges
uid:vikram
givenName:vicky
objectClass:top
objectClass:person
objectClass:organizationalPerson
objectClass:inetorgperson
sn:kone
cn:Kone Vikram
userPassword:glamsham
When i start ldap server and sun server,
the login page for sun server asks for username and password ....
when i give
username : vikram
password : glamsham
Error page comes.....
HTTP Status 403 - Access to the requested resource has been denied
type Status report
message Access to the requested resource has been denied
description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.
Sun-Java-System/Application-Server-PE-8.0
Subsequent attempts to login gives another error page
HTTP Status 500 -
type Exception report
message
description The server encountered an internal error () that prevented it from fulfilling this request.
exception
com.sun.enterprise.tools.guiframework.exception.FrameworkException: Unabled to handle pre-compiled JSP '/jsp/j_security_check'. Expected pre-compiled classname: 'org.apache.jsp.jsp.j_005fsecurity_005fcheck'.
com.sun.enterprise.tools.admingui.servlet.HandlePrecompiledJsp.doPost(HandlePrecompiledJsp.java:59)
javax.servlet.http.HttpServlet.service(HttpServlet.java:768)
javax.servlet.http.HttpServlet.service(HttpServlet.java:861)
sun.reflect.GeneratedMethodAccessor55.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
java.lang.reflect.Method.invoke(Method.java:324)
org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:289)
java.security.AccessController.doPrivileged(Native Method)
javax.security.auth.Subject.doAsPrivileged(Subject.java:500)
org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:311)
org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:205)
note The full stack trace of the root cause is available in the Sun-Java-System/Application-Server-PE-8.0 logs.
Sun-Java-System/Application-Server-PE-8.0
So pls... help as to how to go about this..
P.S. My ldap server runs as "ldap" user not as rootTry with "vikram" as a member of "cn=asadmin" group in your LDAP directory...
-
Error Missing parameter values - I get this in 11g app server only
Hi.. I had an application in JSP-Struts, previously on 10g app server. I now migrated the code into 11g.
I get the error on CrystalViewer.jsp
Error
Missing parameter values
Steps that lead up to the error:
The very first time anyone enters the application and clicks a submit button on the jsp, after entering data and/or picking from drop menus, the error shows up on a separate page (thrown by crystalViewer.jsp)
When I get this error, and click the browsers back button, and simply click the submit button on the jsp screen again, the reports work fine (like they do in 10g).
Tried the following:
I used log4j and followed the data as it made its way from Struts to Crystal Factory. But once it gets out of Struts, and forwards to Crystal, I receive the error from the CrystalViewer.jsp
Next, I removed code in struts-action, that used crystal factory to 'set parameter', and didnt send any parameters, letting my crystal report bring back some random records.. And this works even the first submit! So the problem is only when I have to send parameters to crystsl
Additional info:
I do not send any null values across, since I read on these forums that folks were having issues with setting nulls etc... I check for null and then force 'All' in the parameter if the user does not enter data or pick from the drop-down.
I need help resolving this . Thanks and have a great day.
(Are there any changes to be made to the Struts config, or any additions to Web.xml? Should Crystal reports be changed in anyway so they can function like they did in 10g?)The Crystal SDK doesn't know or care that you're using Struts.
The exception is stating you're not setting parameters.
So wherever you're trying to set parameters, whatever's reaching the viewer don't have them set.
Why not trace the workflow to see what's where?
Sincerely,
Ted Ueda -
Kerbeos & Cyptolib in same app server for GUI-BW & BO -BW SSO
Hi
We have situation wherein we have SSO to BW from SAPGUI (logonpad) using windows AD userid. SNC authentication for this by Kerbeos.
Now for our BO webireports we would like have to scheduling functionality & rowlevel secutiry from underlying BW reports. Hence we need to have SSO between BW & BO ( using windows AD userid)
But SNC authentication for BO-BW SSO uses cryptolib.
Since we can not have both kerbeos & cryptolib in the same app server, is there any alternative solution other than using 3rd party tool like secude?
Is this issue addressed in BI4?
Your help is greatly appreciated.
Thanks
PaddyThanks Ingo for the response.
Can you please elobarate when you say "u201D You should check if the SNC libraries that you are using for the client side SNC also allows for server side trust.u201D
Also is this issue addressed in BI4 release?
Thanks -
SSO using WebLogic app server and AD as the auth source
Hi All,
I am trying to setup SSO on 10gR3 using MS Active Directory as the auth source and WebLogic as the app server.
Do I have to create a custom SSO or can this setup be configured using the basic SSO and config changes?
Any help or guidance will be appreciated.
Cheers
BobThere are many ways. The generic answer is federation via SAML, look at the docs for Oracle Identity Federation.
-
Sun One App Server 8.1,Sun One Message Q3.6,administered objects in LDAP
Hi,
Has anyone tried hosting an MDB on Sun One App Server 8.1 listening to a queue on Sun One Message Queue 3.6 through administered objects in directory server...? It looks quite straight forward but somehow it doesn't seems to work. Any idea if Sun one app server supports this type of architecture...?
Regards,
PriteshHi,
Even I didn't see any obvious reason why it shouldn't work untill I found that Sun One App Server 8.1 does not support external JNDI lookup to Sun MQ 3.6 through administered objects. However, it is possible using a newly released generic resource adapter for JMS 1.5 RC1. I am still fighiting on it and let you know if it works.
I was getting an error "JMS resource can not be created" during deployment time.
Regards,
Pritesh Thakor -
Hi All,
Can I use OAM 10.1.4.3 (Authentication Provider & Identity Asserter) to implement SSO with weblogic App Server 10.3.0 or below?
OAM 10.1.4.3 Authentication Provider & Identity Asserter is the recommended way to configure SSO with Web Logic App server 10.3.1 ( Oracle Middleware 11g).
And
OAM 10.1.4.2 uses WebLogic SSPI to configure SSO between OAM 10g and WebLogic App Server 10.3.0 or below.Hi,
This is how the integration goes with different versions of WLS and OAM.
There is oamAuthnProvider.jar available with OAM 10.1.4.3 downloads. So it provides the assertion functionality.
Can I use OAM 10.1.4.3 (Authentication Provider & Identity Asserter) to implement SSO with weblogic App Server 10.3.0 or below?
Mahendra: Yes
OAM 10.1.4.3 Authentication Provider & Identity Asserter is the recommended way to configure SSO with Web Logic App server 10.3.1 ( Oracle Middleware 11g).
Mahendra: Yes, this is the recommended and easy approach.
OAM 10.1.4.2 uses WebLogic SSPI to configure SSO between OAM 10g and WebLogic App Server 10.3.0 or below.
Mahendra: Yes, older version of OAM uses SSPI connector installation.
HTH.
Mahendra. -
Legacy java app & Web Logic App Server
Hi,
We have a legacy java application that we like to provide an EJB layer
for.
The legacy application provides a servelet interface, event queues, our
own
JDBC Conn Pools, etc...
Can we integerate legacy java code into the Web Logic App Server? That
is,
we like to use the Weblogic's api's for servelets and JDBC conn pools.
We would also
like to use the clustering feature to provide failover. Also, our
application creates bunches of
threads. Do we need to rewrite this code to use Weblogics thread
creation techniques?
If this cannot be done,
another option would be to provide an EJB layer where the entity beans
would map to
elements in the legacy application using our own version of the
connector.
Then the app server would only encapsulate the EJB
layer. Could we still use your JDBC Conn Pools and other services in
the java legacy app?
Still the problem with this solution is that we can't use your
clustering scheme around our legacy app,
or can we?
Any help would be appreciated.
-- tonyIt can even be a standard production scenario if you want to run Oracle Portal 11g on a single box. The single sign-on part typically requires you to install an AS 10g SSO server which co-exists with other components such as WebLogic server.
Notice that there is a sharp division between everything which is inherit from the old OAS, the so-called instance components, typically started with OPMN and the new WLS stuff. -
11g rdbms comes with oid ldap? i have to setup oracle net services with that, any notes to setup with 11g would help.
OID is part of the Application Server.
It has been part of the app server for several versions (9i)
It happens to store it's info in an Oracle database. But it is still part of the App Server.
Read the App Server (specifically Identity Management) docs to determine installation. -
Error while installing Oracle Apps server 10.1.3 with Oracle DB 11.2.0.2 residing in the same server and being used by Apps server as it's metadata.
bash-3.00$ export ORACLE_HOME=/data/ora11g/app/ora11g/product/11.2.0
bash-3.00$ cd /data/OAS/install/soa_schemas/irca/
bash-3.00$ ./irca.sh
Integration Repository Creation Assistant (IRCA) 10.1.3.1.0
(c) Copyright 2006 Oracle Corporation. All rights reserved.
ERROR: Cannot find library - /data/ora11g/app/ora11g/product/11.2.0/jdbc/lib/ojdbc14.jar
Please verify that the ORACLE_HOME is set correctly.
bash-3.00$Hi Craig,
Database 11gR2 could be used for Installing Application Server 10.1.3.x but with some limitation.
So please review the note:-887365.1 Oracle Database 11g Release 2 (11.2) Certification for Oracle Application Server 10g (10.1.2, 10.1.3, 10.1.4)
Section :- Oracle Application Server 10g Release 3 (10.1.3)
Regards,
Praaksh. -
How to protect an application running on Apache Tomcat app server with OAM 11gR2
Gurus,
We have an Apache Tomcat based application named "ABCD" here at client site that we want OAM 11gR2 PS1 to integrate with for SSO purposes. I have successfully configured OHS to reverse proxy requests to Apache Tomcat server whenever somebody tries to access the application URL but still, I am getting the application login page once I have successfully authenticated on OAM SSO login page. The Tomcat based application is authenticating users against a "UserDatabase realm".
I know in terms of weblogic application, there is an OAM identity asserter provider which then populates the User Principal for the java environment with the authenticated OAM user. But there is no such OAM identity provider for Tomcat.
So my question is, is there an provider (or Tomcat equivalent) which will entrust authentication to a header, that could be used to populate the Java User Principal from the OAM_REMOTE_USER header? Is the weblogic equivalent of authentication providers present in tomcat as well? Are those called valves?
Please advise to the earliest.
Thanks !!Aakash,
I did follow the 4 steps that you mentioned to me. Out of the 4 that you had mentioned, I already had the webgate in place on OHS server and I was already passing the remote_user http header in oam policy as action.
As part of Step #2: Install mod_jk plugin on OHS server that you mentioned
1.) I downloaded the tomcat connector - tomcat-connectors-1.2.37-src
2.) I had to run ./configure,make, make install on my OHS server which runs on RHEL 6. It created the mod_jk.so file. I pasted it in the needed folder.
3.) I then created the httpd.conf file and workers.properties file as said in the connector docs.
4.) Restarted OHS.
As part of Step #3: Configure tomcat's ajp connector that you mentioned and I went through all the links pasted below but didn't find actually what needs to be in place to configure tomcat's ajp connector. I do see in the server.xml of tomcat app server that the ajp 1.3 protocol is supported:
http://tomcat.apache.org/tomcat-4.0-doc/config/ajp.html
http://tomcat.apache.org/tomcat-3.3-doc/mod_jk-howto.html#s8
http://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html
http://www.mulesoft.com/understanding-tomcat-connectors
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
Do we need to disable the HTTP protocol in Tomcat and keep only AJP connector enabled? If yes, how to do that?
I am trying to connect to the application from OHS server like so I am using the http protocal right? How should I use the ajp protocol to connect to tomcat application?
http://ohs-host:ohs-port/abcd
Thanks !!!!! -
Hi
I am installing web cache on two servers in web tier and J2EE server (with OHS) on another two servers in apps tier. Should I use standalone webcache or install from Oracle Apps Server package? If I choose Oracle Apps Server package, I have to disable Home, HTTP components. But it is DCM managed. Any suggestions?
And should I deploy my OHS servers on web cache servers in the web tier? In future we want to expand J2EE installation, we will deploy Portal with SSO, OID etc.
Regards
Shen JieShen Jie,
Please review the Enterprise Deployment to see what are the best architectures.
Hope this helps.
Deepak -
Hi All,
We have a requirement to implement custom SSO with OBIEE 11g.
Is configuration of SSO in OBIEE 11g similar to that of OBIEE 10.1.3 ? (10g steps mentioned below)
1. Changing Instanceconfig.xml
2. Adding a user “Impersonate ” in Repository
3. Adding Impersonate user Credentials to Credential Store using cryptotools
4. Add Credential Store information to Instanceconfig .xml file
Are there any additional configurations required to be related to weblogic integration with OBI?What sort of SSO setup are you looking to implement? The security model in 11g is much more complex and unfortunatelly it's all in Weblogic. I don't think that was a good idea but Oracle it's obviously pushing to use all of its products into OBIEE.
On the positive side OBIEE 11g now supports configuring authentication and SSO with Active Directory and Windows Native Authentication using Kerberos (the next generation authentication protocol after NTLM). This SSO solution is sometimes called "silent SSO" as does not require domain authenticated users to login to OBIEE and it's completely transparent. In view it's the "real and proper" SSO solution as it's server side and it's unspoofable. Oracle Support Note ID 1274953.1 provides guidance on how to do that. The configuration process is complex but it provides a way to use Windows Native Authentication out-of-the-box in OBIEE 11g without having to rely on custom/3er party components or any additional license costs. -
Or I guess a related question is what version of apache comes with the latest App Server Patch Set (10.1.3.4.0)?
We are running OAS 10.1.3.3.x and we are having issues with URLs that end in a number but which have query parameters at the end.
E.g. http://<stuff_here>/1?type=table&format=html
The URLs come from REST-ful GET operations. It seems like the HTTP server just ignores the query parameters completely.
When we run against stand-alone OC4J which includes an embedded HTTP server, such URLs work as expected.
We are hoping that perhaps the latest patch set for the full Oracle Application Server 10g will overcome this issue.
But if we need to move to a later Oracle HTTP Server (like the one that comes as an option for the Oracle 11g database installation) we would be willing to do so.
Comments related to this are welcome.
Thanks
JimHi,
Does anyone have experiece getting Apex working with secured BI publisher?
The error I am getting when PDF printing from Apex to BI pub is:
"ORA-20001: The printing engine could not be reached because either the URL specified is incorrect or a proxy URL needs to be specified.
Error failed
OK "
Please note, network services in 11G are already configured; thus I am able to print from Apex to non-secured BI pub.
Thanks,
Jed -
P13N Server and App Server on separate systems - strange ports opened
Hi -
We have a configuration using WebLogic Personalization Server 3.1.1 on one
server and WebLogic Application Server 5.1 w/Service Pack 6 on another
server. What we've seen with our firewall configuration is that it appears
there are high-number random ports opened occasionally from the App Server
to the P13N Server, which d not appear to be related to connection attempts
(ex: port 42100). The only communication that we know should be happening
between the two systems are T3-based JNDI lookups, LDAP lookup/update
requests, and SQL queries. My questions, then, are as follows:
1) In handling JNDI requests, are there any callbacks that can occur between
the two servers in this configuration on a different port?
2) When separating the P13N Server and App Server, are there any "private"
ports opened between the two systems for management? As far as I know, the
App Server should simply view the P13N Server as another client, but the
firewall log would indicate that something is going on related to this.
If anyone has a similar config and can provide some info related to
potentially unseen port connections, please let me know. Thanks in advance!
Andy
[email protected]
Haakon,
I think the BPEL forum is the better source to ask
BPEL
Frank
Maybe you are looking for
-
Design advice for vertical list calculations
I'm extending a product management life cycle sharpoint 365 site, With purchase orders, magazine store, production targets (date based) and sold dates. So that in our production environment we can see how much is stored, how much can be sold, and wha
-
How can I delete a template in Pages?
How can I delete a template in Pages?
-
Hi, While using Planning calender, it works for TAN related orders,.i.e Delivery dates are determined correctly in PR/PO. But when we use TAB related orders planning calender does not work, delivery dates are not determined correctly. Is there any co
-
Getting Invalid Address Error while trying to order iPhone
I don't knoe what';s going on and I wish I could talk to a real live person but I am trying to pre-order the iphone and it won't accept any way that I enter my address. My billing and shipping addresses are different, but even when I made them the sa
-
Installing upgrade to G5 and computer crashes after 20-30 mins. Any advice?
BACKSTORY: I have a slow running G5 (2nd generation 2005). It came with the standard two 512 MB chips. When I upgraded my Abode programs to CS3 I notes problems. After being pin ponged from Adobe & Apple support I was told to upgrade my memory. After