In this post, I will point out some important aspects about enabling SSL on SSO 10g..
As you may know, support for SSO 10g is limited.. Thus, Oracle directs us to use Oracle Access Manager rather than SSO 10g.. So, the information that we can reach in the internet is also limited ..
This become a problem when we hit some bug, or when we need a special configuration.. In such situations , unfortuneatly we stand alone.. That is; we need to solve the problems ourselves by making advanced diagnostics..
When we talk about SSL on SSO 10g. We actually talk about 3 tiers.
One of them is the Application that uses SSO to authenticate its users..
In this story; this application is EBS R12 ..
Ofcouse the midd tier is SSO 10g which is something like an Oracle Application Server.
The 3rd tier is the OID and its database.. In this story , it is OID 11g which runs on Weblogic Server..
,
In order to diagnose the integration problems, we need to know the following;
The txkrun.pl script stored in EBS .. This script makes the EBS to register itself with SSO through OID.
The scripts like ssocfg.sh, ssoreg.sh stored in SSO 10g server.. ssocfg.sh configures the SSO and ssoreg.sh register the SSO and also updates the mod_osso registration record in osso.conf.
Owm in SSO 10g ( oracle wallet manager) which is used to store our SSL certificates.
OID 11g configuration tables to check the registered partner application configuration from the backend..
odsm in OID 11g to check and configure things like operationsUrl for such a configuration change..
Okay.. I will give two problems and their solutions to show what to check while dealing problems in an EBS integrated SSO10g-OID11g configuration after enabling SSL in SSO.
First of all, we can follow the steps described in the following link to enable SSL on SSO 10g.
http://ermanarslan.blogspot.com.tr/2015/02/sso-10g-enabling-ssl-on-ebs-integrated.html
This steps seems sufficient for such an operation, but still some problems may arise .
Possible problems:
1)
unable to logout from EBS after enabling SSL on SSO...
When we encounter this problem, we need to check the urls.. I mean the urls used in SSO login and SSO logout. I can say that : a consistency problem between these urls will create logout problem.
For example: if the SSO login url is https://ermanhost:4443/... and if te logout URL is https://ermanhost.ermandomain:4443/... , then we will have this logout problems.. That is, domain name is important..
To check the SSO urls used in EBS logout&login we can use orasso.wwsso_papp_configuration_inf_t table in the OID database..
Browser http trace may also help..
If we see an inconsistency, then we need to use ssoreg.sh to update this records accordingly..
Lastly, we take the action to deregister and register EBS using txkrun.pl
2)
certificate warnings in Browsers..
If domain name used in login/logout urls is different than the domain name in the ssl certificate , then we will have certificate not trusted warning in Browsers..
For example: our login url is ermanhost.ermandomain:4443 but the certificate we use in SSO 10g is signed for ermanhost..
In such a situation, the solution can be changing(using ssoreg.sh) the login/logout urls to match the info stored in ssl certificate. Lastly, we take the action to deregister and register EBS using txkrun.pl
Alternatively , we can request a new certificate that matches our login/logout urls from the CA and make the SSO use that certificate.
CN in the certificate should match the FQDN used in login/logout urls..
For example , if we have CN=ermanhost in the certificate , then we need to have https://ermanhost:4443.. written in our login/logout urls..
3)
The page can not be displayed.. Unable to reach the sso login page from the browsers using its https url even if everything seems ok.
In this situation, SSL may be disabled in our Browsers.. Security policy in our environment may want us to use TLS instead of SSL ..
If that 's the scenario, this is described in TLS 1.0 Handshake Fails With "SSL call to NZ function nzos_Handshake failed with error 29014" ( Doc ID 470123.1 )
The fix is applying patch 6370967.. Ppply this patch in SSO Oracle Home and retest..
In conclusion, I can say that dealing with problems in SSO infrastructure is not an easy thing.. We cant get enough support when something strange happens on the way :)
As you may know, support for SSO 10g is limited.. Thus, Oracle directs us to use Oracle Access Manager rather than SSO 10g.. So, the information that we can reach in the internet is also limited ..
This become a problem when we hit some bug, or when we need a special configuration.. In such situations , unfortuneatly we stand alone.. That is; we need to solve the problems ourselves by making advanced diagnostics..
When we talk about SSL on SSO 10g. We actually talk about 3 tiers.
One of them is the Application that uses SSO to authenticate its users..
In this story; this application is EBS R12 ..
Ofcouse the midd tier is SSO 10g which is something like an Oracle Application Server.
The 3rd tier is the OID and its database.. In this story , it is OID 11g which runs on Weblogic Server..
,
In order to diagnose the integration problems, we need to know the following;
The txkrun.pl script stored in EBS .. This script makes the EBS to register itself with SSO through OID.
The scripts like ssocfg.sh, ssoreg.sh stored in SSO 10g server.. ssocfg.sh configures the SSO and ssoreg.sh register the SSO and also updates the mod_osso registration record in osso.conf.
Owm in SSO 10g ( oracle wallet manager) which is used to store our SSL certificates.
OID 11g configuration tables to check the registered partner application configuration from the backend..
odsm in OID 11g to check and configure things like operationsUrl for such a configuration change..
Okay.. I will give two problems and their solutions to show what to check while dealing problems in an EBS integrated SSO10g-OID11g configuration after enabling SSL in SSO.
First of all, we can follow the steps described in the following link to enable SSL on SSO 10g.
http://ermanarslan.blogspot.com.tr/2015/02/sso-10g-enabling-ssl-on-ebs-integrated.html
This steps seems sufficient for such an operation, but still some problems may arise .
Possible problems:
1)
unable to logout from EBS after enabling SSL on SSO...
When we encounter this problem, we need to check the urls.. I mean the urls used in SSO login and SSO logout. I can say that : a consistency problem between these urls will create logout problem.
For example: if the SSO login url is https://ermanhost:4443/... and if te logout URL is https://ermanhost.ermandomain:4443/... , then we will have this logout problems.. That is, domain name is important..
To check the SSO urls used in EBS logout&login we can use orasso.wwsso_papp_configuration_inf_t table in the OID database..
Browser http trace may also help..
If we see an inconsistency, then we need to use ssoreg.sh to update this records accordingly..
Lastly, we take the action to deregister and register EBS using txkrun.pl
2)
certificate warnings in Browsers..
If domain name used in login/logout urls is different than the domain name in the ssl certificate , then we will have certificate not trusted warning in Browsers..
For example: our login url is ermanhost.ermandomain:4443 but the certificate we use in SSO 10g is signed for ermanhost..
In such a situation, the solution can be changing(using ssoreg.sh) the login/logout urls to match the info stored in ssl certificate. Lastly, we take the action to deregister and register EBS using txkrun.pl
Alternatively , we can request a new certificate that matches our login/logout urls from the CA and make the SSO use that certificate.
CN in the certificate should match the FQDN used in login/logout urls..
For example , if we have CN=ermanhost in the certificate , then we need to have https://ermanhost:4443.. written in our login/logout urls..
3)
The page can not be displayed.. Unable to reach the sso login page from the browsers using its https url even if everything seems ok.
In this situation, SSL may be disabled in our Browsers.. Security policy in our environment may want us to use TLS instead of SSL ..
If that 's the scenario, this is described in TLS 1.0 Handshake Fails With "SSL call to NZ function nzos_Handshake failed with error 29014" ( Doc ID 470123.1 )
The fix is applying patch 6370967.. Ppply this patch in SSO Oracle Home and retest..
In conclusion, I can say that dealing with problems in SSO infrastructure is not an easy thing.. We cant get enough support when something strange happens on the way :)
However, I write this post to light the way for us to realize the facts in such a integrated configuration. Having the general knowledge about the configuration architecture as a whole let us to analyze the problems on our own, as enabling SSL in SSO 10g affects the configurations stored in OID and EBS , too.. Even the browser congurations may affect our success in such an environment...
No comments :
Post a Comment
If you will ask a question, please don't comment here..
For your questions, please create an issue into my forum.
Forum Link: http://ermanarslan.blogspot.com.tr/p/forum.html
Register and create an issue in the related category.
I will support you from there.