I have spent a little time recently setting up single sign on for WebCenter Interaction.
My environment is WebCenter Interaction 10.3 running on Oracle WebLogic Server 10.3 on Windows 2003 Server, with an Oracle HTTP Server (Apache 1.3) HTTP Proxy, Oracle Access Manager providing SSO, and Oracle Internet Directory as the LDAP Authentication Server. The portal data store is the Oracle 11g Database (126.96.36.199).
There were a few issues, and the documentation does not reflect current versions, which meant I needed to rely on some assistance and a little bit of guessing in addition to the documentation. As such, I though this would be a good piece of work to document to make it easier for others to repeat (and for the next time I need to do it!)
I would like to acknowledge assistance from the following people (alphabetical order): Clarence Cheah, Rory Douglas, Iyad Kloub, Ali Mukadam, Luke McQueen, Igor Polyakov, Tamer Qumhieh, Mike Wertzberger and Tanya Williams.
This post contains just the highlights – the stuff that is not in the documentation, or easy to work out. Following this, I will post complete step by step instructions.
Oracle 11g Database Configuration Issue
There is an issue running WebCenter Interaction 10.3 with Oracle Database 11g. It seems to be introduced when you install the WebCenter Identity Integration for LDAP module. After doing this, the overnight jobs start to fail with an SQL error, the portal fails, and will no longer start. Here is the query you may find in your log files when this happens:
SELECT MAX(CS.ACCESSLEVEL) AS ACCESSLEVEL, C.NAME, C.ISLOCALIZED, C.OBJECTID, MC2.MEMBERSHIPTYPE FROM PTCOMMUNITIES C, PTCOMMSECURITY CS, PTVGROUPMEMBERSHIP GM, (SELECT MAX(MC.MEMBERSHIPTYPE) AS MEMBERSHIPTYPE, MC.COMMUNITYID FROM PTMYCOMMUNITIES MC, PTVGROUPMEMBERSHIP GM WHERE GM.GROUPID=MC.GROUPID AND GM.USERID=263 GROUP BY MC.COMMUNITYID) MC2 WHERE GM.GROUPID=CS.GROUPID AND GM.USERID=263 AND C.OBJECTID=CS.OBJECTID AND C.OBJECTID=MC2.COMMUNITYID GROUP BY C.NAME, C.ISLOCALIZED, C.OBJECTID, MC2.MEMBERSHIPTYPE ORDER BY LOWER(C.NAME) ASC
This query will fail with the error “not a GROUP BY expression.” Careful inspection of the query seems to indicate that it is fine. I ran it on an Oracle 10g database and it did run successfully. After some digging, it seems that the 11g query optimiser may be causing this issue, and the following database setting seems to fix it:
ALTER SYSTEM SET "_OPTIMIZER_GROUP_BY_PLACEMENT"=FALSE;
I also applied the 188.8.131.52 patch to the database. I did not test this setting on 184.108.40.206, so can’t tell you if it will solve the issue on 220.127.116.11 too.
WebCenter Interaction Configuration
To make WebCenter Interaction work with the HTTP proxy, you need to make some changes to the configuration files located in <BEA_HOME>\alui\settings\portal:
In configuration.xml, you need to locate SystemProperties and change ServerName and HTTPPort to match your proxy server, as shown in the example:
<component name="portal:SystemProperties" type="http://www.plumtree.com/config/component/types/portal/systemproperties"> <!-- lines removed for brevity --> <setting name="ServerName"> <value xsi:type="xsd:string">proxy.server</value> </setting> <setting name="HTTPPort"> <value xsi:type="xsd:integer">8080</value> </setting> <!-- lines removed for brevity --> </component>
You also need to make a couple of changes in the portalconfig.xml file, which is located in <BEA_HOME>\alui\settings\portal. The first change goes into the URLMapping component, shown below. You need to set the ApplicationURL0 and the SecureApplicationURL0 to the URL of the proxy server, not the portal server. These changes are highlighted below. In the example, the proxy server is proxy.server:8080.
<component name="portal:URLMapping" type="http://www.plumtree.com/config/component/types/portal/urlmapping"> <!-- URLMapping - Entry 0 --> <setting name="URLFromRequest0"> <value xsi:type="xsd:string">*</value> </setting> <setting name="ApplicationURL0"> <value xsi:type="xsd:string">http://proxy.server:8080/portal/server.pt</value> </setting> <setting name="SecureApplicationURL0"> <value xsi:type="xsd:string">http://proxy.server:8080/portal/server.pt</value> </setting> <clients> <client name="portal"/> </clients> </component>
The other change you need to make, it to turn on the SSO. This is done in the Authentication component. You need to set the SSO vendor (to 3 for Oracle Access Manager) and the cookie domain. These are highlighted in the example below.
<component name="portal:Authentication" type="http://www.plumtree.com/config/component/types/portal/authentication"> <!-- lines removed for brevity --> <setting name="SSOVendor"> <value xsi:type="xsd:integer">3</value> </setting> <setting name="CookieDomain"> <value xsi:type="xsd:string">.server</value> </setting> <!-- lines removed for brevity --> </component>
Oracle Access Manager Configuration
When you set up the Policy Domain for the WebGate on the HTTP proxy, you need to make the following settings:
- In the Resources tab, add a resource of type http with URL /portal.
- In the Default Rules tab, create a Default Rule, with an Authentication post success action that redirects to /portal/SSOServlet and passes a HeaderVar called UID with the cn as its value.
- Make sure your policy includes GET and POST for http.
These are key things that needed to be done to get this all working, which were not always easy to work out from the documentation. I am working with a few of the others here to fully document the whole procedure, and will post that when it is done.