This blog is addressing a topic of discussion that may be of interest for numerous application system administrators, engineers and architects.
I was approached by one of the architects within our organization with an initiative requiring a successful single sign on integration between Oracle Weblogic and IBM Tivoli Access Manager for one of our federal clients. At first it sounded like a road block given the differences in platforms architecture, technologies, protocols, adapters, lack of online documentation, etc. However, given the hands-on experience I have with IBM and Oracle Products in that realm, I was able to compile the blog below in order to provide guidance to achieve this single sign-on integration.
First of all, let me give an overview of how the trust relationship gets established between the Weblogic Server and Tivoli Access Manager (TAM).
The trust relationship between TAM HTTP Reverse Proxy (WebSEAL) and Oracle WebLogic Server is established using a configured HTTP Basic Authentication dummy password. WebSEAL is configured to provide the user name and a known single sign-on secret password. This secret password is used to identify if the reverse proxy in a trusted source. This password gets stored in a file called “webseald.conf” known as the WebSEAL configuration file. The credentials for the user requesting access to a given resource are only acquired after the Tivoli Access Manager Authorization server verifies the password. The screen shot below shows the details of how the trust relationship is established between Weblogic Server and Tivoli Access Manager.
How to configure Oracle WebLogic Server for single sign-on with Tivoli Access Manager
You can automatically enable Tivoli Access Manager single sign-on for WebLogic Server during the realm creation process by specifying the optional single sign-on option during the create_realm command. For the purpose of this document, the blog will not tackle the steps required to create a security realm in TAM; therefore for more information on how to create the security realm inside TAM you can refer to the IBM Tivoli Access Manager for e-business: Installation Guide
Once the security realm has already been created, you can then enable single sign-on using the following steps:
- First, create the SSO user in Tivoli Access Manager with the pdadmin user create command.
e.g. pdadmin> user create user1 cn=user1,dc=iguident,dc=com user1 user1 myPassword
- Enable the user account by setting the account-valid option to yes using user modify command::
e.g. pdadmin> user modify user1 account-valid yes
- Edit the Tivoli Access Manager for WebLogic Server properties file, amsspi.properties, and set the following values:
com.tivoli.amwls.sspi.Authentication.ssoEnabled = true
com.tivoli.amwls.sspi.Authentication.ssoTrustId = sso_username
- Save and close the file
How to configure Weblogic single sign-on using TAM HTTP Reverse Proxy (WebSEAL) junction
Administrators can also configure Weblogic single sign-on with TAM using TAM HTTP Reverse Proxy known also as WebSEAL junction. In order to achieve this integration, the administrator must complete the following steps on the system that hosts the WebSEAL server:
- First, edit the WebSEAL configuration file, webseald.conf.
- Modify the entry basicauth-dummy-passwd inside the configuration file as follow:
basicauth-dummy-passwd = sso_pwd
This password must match that of the sso_pwd field that is enabled during the create realm action
- Save and close the file
- In order for the configuration changes to take effect, stop and restart the WebSEAL service hosted by the WebSEAL server.
- Use the pdadmin command line utility to create a WebSEAL junction. An example is provided below:
pdadmin> server task webseald_server_name create –t tcp -p WebLogic_Server_listen_port -h WebLogic_Server -b supply junction_target
Ensure using the -b option to supply the junction target URL. This is required for single sign-on.
The following table explains the parameters used in the pdadmin command line:
|webseald_server_name||This parameter reflects the name of the WebSEAL server. Note that the name consists of two parts: webseald-WebSEAL_server_instance. For example, if the host machine name is iGuident, the webseald_server_name would be webseald-iGuident|
|WebLogic_Server||This parameter represents the host name of the WebLogic Server.|
|WebLogic_Server_listen_port||This parameter reflects the port number on which the WebLogic Server is listening. The default is 7001.|
|-b supply||This flag is required for single sign-on. It forces WebSEAL to pass the dummy password.|
|junction_target||This parameter represents the URL target of the junction|