Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Editor’s Note: Charles Anderson has presented us with the key steps of Single Sign-On,
including a standalone install of an OAS Infrastructure “Home”, and the integration of Oracle
Internet Directory with the Microsoft Active Directory. In this final article of the series, Charles
takes us through the final steps to point a single JD Edwards EnterpriseOne JAS instance to the
Oracle Single Sign-On server and validate successful logins using your Active Directory
credentials.
This article is the final installment of a three-part series on Oracle Single Sign-On. In Part I of our
series, we walked through the process of a basic, standalone server install of an Oracle
Application Server Infrastructure ―Home‖, which includes a dedicated Oracle 10g database and
the Oracle Single Sign-application. In Part II, we successfully integrated Oracle Internet Directory
(OID) with Microsoft Active Directory (AD). This integration included
the synchronization of user accounts from AD into the OID using the In this article, I
Directory Integration and Provisioning (DIP) utility. We customized a will conclude
DIP ―map‖ to pull AD accounts into OID and into a more user friendly
form. We also enabled the External Password Authentication Plug-in with the
for AD so that users could authenticate directly against AD Domain enablement of
Controllers using their Windows password. Oracle Single
Sign-On with
In this article, I will conclude with the enablement of Oracle Single the JD Edwards
Sign-On with the JD Edwards EnterpriseOne JAS server. We will
accomplish this with the Oracle Application Server 10g R3 platform, EnterpriseOne
with EnterpriseOne Tools 8.97 and Server Manager. JAS server.
When I originally began the outlining process for this article, which ultimately transformed into a
somewhat lengthy ―white paper‖, I was relying on my knowledge from having worked with Oracle
Single Sign-On with both Oracle Portal and EnterpriseOne (running Tools Release 8.96.) My
present employer had signed on to participate in the Tools 8.97 beta program, and at that time,
documentation for Oracle Single Sign-On integration with 8.97 was still being prepared. Also, as
Tools 8.97 was the first Tools release to support (and require) Oracle Application Server 10g R3
(10.1.3) for the Java Application Server, the steps needed to configure OAS for Oracle Single
Sign-On support changed from the virtually streamlined process available with OAS 10.1.2, to a
more manually intensive process with OAS 10.1.3.
Pre-Configuration Notes
Prior to beginning the steps outlined in this article, you should be familiar with, and have
performed, the installation and configuration of the Oracle Application Server 10.1.2 Infrastructure
―home‖, which includes OID and Oracle SSO (for more info, see Part I.) As you have learned in
Parts I and II, although it is not technically required for this portion of the exercise, you can
configure OID to synchronize with third-party LDAP servers such as Microsoft Active Directory
(see Part II.) You should also have a supported EnterpriseOne release with Tools 8.97 or greater
and EnterpriseOne HTML client hosted on Oracle Application Server 10.1.3.1. Although the
Oracle product documentation mentions limited ―unidirectional‖ support for Websphere
Application Server (WAS), I am focusing this guide strictly on ―Red Stack‖ components. My
demonstration, including screenshots, is from a JD Edwards EnterpriseOne 8.12 installation with
Tools CPU 8.97.2.5. I will make some concessions to those of you running older releases, such
as EnterpriseOne 8.10 and 8.11, and provide some additional hints in an effort to help you be
successful if you attempt this possible career expanding maneuver. For those of you following
along on Linux or UNIX instead of Windows, you'll be fine provided that you make the necessary
adjustments to the command strings.
Although you may have chosen to start with a more recent version of Oracle Identity
Management—10g R3 (which includes Oracle Internet Directory and Single Sign-On
components)— this three-part series focuses on the Application Server 10g R2 release. Most of
what you will find in this series will still apply to the newer release, although there are a few
appealing features in the latest release, such as Server Chaining support, which will not be
covered.
Finally, before getting started, I'd like to update my recommendation of the LDAP Browser Editor
tool, which was mentioned and used in Parts I and II. This was a recommendation based on
convenience, not born of a technical requirement for entering into the world of integration
between OID and Active Directory. It has come to my attention that since the Part II was
published, the web hosting provider for the LDAP Browser/Editor has reworked their website and
is no longer providing a copy of this fine utility. I've searched for other web hosts for the same
utility, and for alternatives, and have come to the conclusion that Softerra LDAP Administrator is
an excellent substitute (http://www.ldapbrowser.com), but it is commercial software. It is,
however, available for download as a 30 day free trial. Also, note that you can simply use the
tools provided with OID (Oracle Directory Manager) and Active Directory MMC snap-ins at no
additional cost.
To correct this, navigate to your OID server and start a command prompt session. Next, execute
the following command to unlock ―orcladmin‖, assuming your OID database name is ―orcl‖:
You will be required to provide the password for the ―ODS‖ user, which is the same password
entered during installation and the same password that the installation routine assigned to
orcladmin, ias_admin, etc.
Upon entering the ODS password, you will receive confirmation that the OID super user account
has been activated, as shown in Figure 1.
No recommendation is made or implied here, so please refer to your internal security policies if
applicable. You may instead choose to set, among other options, the expiry time to a value of
31556926 to indicate ―1 year‖ and set the ―Reset password upon next login‖ and ―Need to Supply
Old Password when Modifying Password‖ values to ―Enable‖ from their default value of ―Disable‖.
This does not impact the password policy of your Active Directory domain in any way, so
passwords will still expire and present the user with a prompt to reset based on the existing
Microsoft policy. The OID Password Expiry Time will affect only those accounts whose password
is actually stored in the OID. (Remember, the AD integration we configured in Part II utilizes the
External Password Authentication plug-in.)
Here, we've added the trusted node ―JDEWEB‖ with the same alias for the Machine Name (any
description will do), activated the record, and defined a secure password. I'm tossing good
security out the window in my examples and will just use ―abc123‖ for the password. See Figure
9.
Again, be sure to activate the nodes, and set and verify the node password. Record this
password as it will be shared with the Enterprise/Security server JDE.INI (for EnterpriseOne 8.9
or 8.10) and the TokenGen.ini on the OAS server (for EnterpriseOne 8.10.)
Back at the
main SSO
Environment
Configuration
Tools screen,
select the
next option
(third in the
list) ―Single Figure 10: Single Signon Token Lifetime Configuration
Signon Token
Lifetime Configuration‖. The end result should look something like what is shown in Figure 10.
In Figure 10, we've added a Regular and Extended lifetime ―Token‖ with maximum values for
each (defined in seconds).
Our last step in the SSO Environment Configuration Tools application is to select the fourth option
and define the Trusted Node Configuration.
We'll set them up to trust each other as shown below; your configuration should look something
like what’s shown in Figure 12, depending on your chosen host or alias names for the Enterprise
and OAS servers.
The first step in registering the OAS server that hosts the JD Edwards EnterpriseOne JAS
instance is to log in to the OID/SSO server (or the SSO server, if you've split the roles across
servers in your environment). From there, drop to a command line and if necessary, change to
the drive letter where the Oracle Home hosting Oracle SSO is located (in my example, C:), then
change to the directory %ORACLE_HOME%\sso\bin.
Of course you will need to substitute ―JDEWEB‖ with your chosen site name (it can be anything,
really, within reason), the path to and name of the OSSO config file (jdeweb.conf in my example),
and of course the URL you are ―protecting‖ behind Oracle SSO. The Oracle product
documentation might tell you to use ―osso.conf‖, but in my experience, I've had better luck using a
unique name for the config file. We'll reference that filename later on in the osso.conf, which is
located on the OAS server (once it has been copied over from the SSO server).
Figure 17: Finding the OSSO Config File Specified as a Parameter in the SSO Registration
Then, we can copy it from the SSO server over to the OAS server that hosts our JD Edwards
EnterpriseOne JAS instance (see Figure 18). For Windows installations, we can simply drag and
drop the file using the Windows Explorer UNC method. For Linux and UNIX installations, be
careful to transfer the file using binary mode if using FTP. This is, of course, not a concern with
CIFS or NFS mounted directories.
Figure 18:
Copying from
SSO Server to
OAS Server
Also, it is possible to run the next step in one of two ways, but I will show you how to execute the
commands using the Perl method. The other method, manually editing each file, is obviously
more labor intensive, and this is why the Perl script was written – it automates this process for us.
Check to make sure that the ―perl‖ executable is in the path as shown in Figure 20.
(where osso1013 is the actual Perl script and e:\install\osso\jdeweb.conf is the full path to the
staged copy of jdeweb.conf, which was copied over from the Oracle SSO server—see Figure 21).
Figure 22 illustrates a successful completion of the osso1013 script; we can next verify that the
staged copy of ―jdeweb.conf‖ has been copied to the proper location and is referenced in the
Oracle SSO configuration file on our JAS server.
As you can see, the osso1013 script we called with Perl updated the mod_osso.conf file with a
reference to osso.conf, and placed the osso.conf file in the proper location on the JAS server.
See Figure 23.
Figure 23: osso.conf File in the Proper Location on the JAS Server
The osso1013 script also updated the httpd.conf file and made sure that mod_osso.conf is
included when the Oracle HTTP Server starts up (see Figure 24).
We're not done yet, though. We must still configure the JAS instance to use Oracle SSO for
authentication rather than its own application security. The default JAS configuration defaults to
internal JD Edwards EnterpriseOne Security. This means that all login requests are handled by
code contained within the JAS server instance, and configurable options within the JAS.INI, which
point the JAS server to an EnterpriseOne Security Server for authentication. By changing the
JAS instance to use Oracle SSO for authentication, we're instructing the JAS server to redirect
the user to the Oracle SSO server for authentication, while still maintaining full JD Edwards
application security as configured in the EnterpriseOne Security Workbench application.
In EnterpriseOne Server Manager, select the correct JAS instance and locate the Security Server
Configuration options. Select ―Enable Oracle Single Sign-On‖ and specify a URL for the Oracle
SSO Single Sign-Off URL. See Figure 25.
Once enabled,
you can restart
your JAS
instance and
navigate to the
same URL
you've used
previously.
Instead of the
standard JD
Edwards
EnterpriseOne
HTML login
screen, you
should now see
something
similar to what’s
shown in Figure
26.
Once Oracle
SSO has
authenticated
the user (in this Figure 26: Single Sign-On Sign In
case, JDE), the
user is
redirected back
to JD Edwards EnterpriseOne, which then accepts the authentication from Oracle SSO and
presents the application, as shown in Figure 27.
Conclusion
Presuming you have followed me through each of the articles in this three-part series, you have
now been exposed to what goes on behind the scenes with JD Edwards EnterpriseOne when
deploying an alternative authentication mechanism. We walked through the initial stages of the
Oracle Infrastructure home installation (including both Oracle Single Sign-On and Oracle Internet
Directory, among other installable components). We established and customized the integration
between Oracle Internet Directory and a third-party directory server, Microsoft's Active Directory,
and configured a scheduled ―one way‖ synchronization of accounts from Active Directory to the
Oracle Internet Directory. We then enabled the external password authentication plug-in so that
users can login to Oracle Single Sign-On using their existing Windows username and password.
To cap it off, we pointed a single JD Edwards EnterpriseOne JAS instance to the Oracle Single
Sign-On server and validated successful logins using our Active Directory credentials.
Oracle Single Sign-On is a complementary product and does not take the place of JD Edwards
EnterpriseOne application security as administered through Security Workbench; it does not
Although part of the Oracle Technology Foundation for JD Edwards EnterpriseOne, Oracle SSO
is now considered a ―legacy‖ solution by the Oracle sales channel. I interpret this as a way of
saying that Oracle SSO, bundled as part of Oracle Identity Management, Oracle Application
Server Enterprise Edition, Oracle Technology Foundation, etc., is an Oracle solution tailored for
Oracle applications and as such does not help them penetrate in other application spaces. Talk
to them about a Single Sign-On solution and you may be presented with a bevy of options
including Oracle Access Manager, Oracle Identity Federation,
and the Oracle Enterprise Single Sign-On Suite. Each of these Oracle Single Sign-
solutions have some product overlap, while serving specific On and Oracle
targeted usage. Internet Directory
have provided my
Oracle Single Sign-On (along with Oracle Internet Directory) is a
proven solution for use with many Oracle applications including,
customers with
but not limited to, JD Edwards EnterpriseOne, Oracle BI years of rock solid
Enterprise Edition, and Oracle Portal (which currently requires and dependable
Oracle Single Sign-On.) At the time of this writing, Oracle Fusion service.
Middleware 11g has not yet been released. It remains to be
seen which features will ship with this product, and it is rumored that Oracle Single Sign-On will
not be a part of the new Application Server suite. It will continue to be supported as part of the
Oracle Application Server 10g product, however, and is still on the table as a supported solution
with EnterpriseOne and Oracle Portal. Therefore, do your research, and then discuss the
solution internally and with your various Oracle sales representatives before making the decision
to implement in your environment. Having said that, Oracle Single Sign-On and Oracle Internet
Directory have provided my customers with years of rock solid and dependable service. I firmly
believe that while there are other competing solutions on the market, the value proposition of
Oracle SSO, especially when utilized with other Oracle applications such as Oracle Portal, Oracle
BI Enterprise Edition and Hyperion, is tough to beat.
Charles Anderson, Application Support Manager, Forestar Real Estate Group, Inc. has over
13 years worth of combined experience in both disciplines: Information Systems and Information
Technology. Charles recently accepted the Oracle Excellence Award on behalf of Forestar and
its former parent company, Temple-Inland, for a creative deployment of JD Edwards
EnterpriseOne on the Oracle Fusion Middleware platform. Prior to joining Forestar, Charles
spent six years in the IT department of a Fortune 500 manufacturing company where he spent
almost five of those six years as a JD Edwards EnterpriseOne System Administrator, CNC, and
later as the CNC Team Lead. Charles has real world experience supporting Oracle Fusion
Middleware for a custom Oracle Portal implementation as well as the JD Edwards EnterpriseOne,
Hyperion, and Oracle BI Enterprise Edition suites. Charles has attained Systems and Network
Administrator certifications in both HP and Sun flavors of UNIX, Cisco Networking, and Citrix
Presentation Server technologies. He is a reformed former MCSE who loves all things ―Open
and Standard‖, but yet still manages to believe himself to be technology agnostic. You may
contact the author at JDEtips.Authors@ERPtips.com. Be sure to mention the author’s name
and/or the article title.
License Information: The use of JDE is granted to Klee Associates, Inc. by permission from J.D. Edwards World Source
Company. The information on this website and in our publications is the copyrighted work of Klee Associates, Inc. and is
owned by Klee Associates, Inc. NO WARRANTY: This documentation is delivered as is, and Klee Associates, Inc. makes
no warranty as to its accuracy or use. Any use of this documentation is at the risk of the user. Although we make every
good faith effort to ensure accuracy, this document may include technical or other inaccuracies or typographical errors.
Klee Associates, Inc. reserves the right to make changes without prior notice. NO AFFILIATION: Klee Associates, Inc.
and this publication are not affiliated with or endorsed by J.D. Edwards & Company. J.D. Edwards software referenced on
this site is furnished under license agreements between J.D. Edwards & Company and their customers and can be used
only within the terms of such agreements. J.D. Edwards is a registered trademark of J.D. Edwards & Company. JDE and
OneWorld are registered trademarks of J.D. Edwards World Source Company. WorldSoftware is a trademark of J.D.
Edwards World Source Company. PeopleSoft,the PeopleSoft logo, PeopleTools, PS/inVision, PeopleCode, PeopleBooks,
PeopleTalk, and Pure Internet Architecture are registered trademarks, and Intelligent Context Manager and The Real-
Time Enterprise are trademarks of PeopleSoft, Inc. Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Klee Associates, Inc. is not affiliated with or endorsed by Oracle Corporation.