Professional Documents
Culture Documents
Overview:
This document provides a guide of steps to deploying OAM with Siebel. It highlights
environment specific values in red.
Oracle Access Manager Authentication, authorization, and auditing services for Siebel 8 applications.
Oracle Access Manager single sign-on (SSO) for Siebel 8 applications and other Oracle Access Managerprotected resources within a single domain or across multiple domains.
Oracle Access Manager authentication schemes, the following schemes provide single sign-on for Siebel 8
applications:
Basic: Users must enter a user name and password in a window supplied by the Web server.
This method can be redirected to SSL.'
Form: This method is similar to the basic challenge method, but users enter information in the custom
HTML form.
You can choose the information users must provide in the form that you create.
Windows Integrated Authentication (WIA): Users will not notice a difference between an Oracle Access
Manager Authentication and WIA when they log on to the desktop, open an Internet Explorer (IE)
browser, request an Oracle Access Manager-protected Web resource, and complete single sign-on.
Custom: Additional forms of authentication can be incorporated through use of the Oracle Access
Manager Authentication Plug-in API.
Session timeout: Oracle Access Manager enables you to set the length of time that a user session is valid.
Ability to use the Identity System for identity management: The Identity System provides identity
management features such as portal inserts, delegated administration, workflows, and self-registration to
applications such as Siebel 8.
The self-registration feature for new users and customers provides flexibility in terms of how much access to
provide to people upon self-registration. Identity System workflows enable a self-registration request to be
routed to appropriate personnel before access is granted.
Oracle Access Manager also provides self-service, allowing users to update their own identity profiles.
Oracle Corporation
9/18/2014
3.
4.
Install and configure Siebel 8, as described in Create/Enable an Access Gate Configuration in the Access
Server section.
2.
Install Oracle Access Manager and a WebGate, and configure access control policies to protect Siebel
resources, as described in Installing the web gate plug-in on the Siebel web server. section
3.
Test the integration, as described in Testing the resource rule with your browser section
Install Oracle Access Manager and ensure that you have installed a WebGate on the Web
server instance supporting the Siebel Web server extension, as described in Oracle Access Manager
Installation Guide
2.
Synchronize the time on all servers where Siebel and Oracle Access Manager Components
are installed. Each Siebel application has its own document directory. You can either protect each
application individually or protect the higher-level directory under which the applications reside.
3.
In the Policy Manager, create a policy domain to protect Siebel resources on Web servers
where Siebel and the WebGate are installed, as described in the Oracle Access Manager Access
Administration Guide. Oracle Access Manager sets header variables that are passed on to the Siebel
Industry Application to allow access only to specified users.
4.
In the Authorization Rule, choose Actions page of the policy domain protecting the Siebel
resource, configure the action to map a Oracle Access Manager Header variable uid to the Siebel uid
5.
Remove the default no-cache HTTP pragmas that Oracle Access Manger sets as a default..
In Oracle Access Manager clear the values for the Access Gate configuration parameters for my Access
Gate:
CachePragmaHeader=no-cache
CacheControlHeader=no-cache
Oracle Corporation
9/18/2014
Note: The Header variable set in the Oracle Access Manager policy should be equal to the value of the
UserSpec parameter in the eapps.cfg file.
In the following example, the uid is mapped to the SSO_SIEBEL_USER HTTP header variable as
follows:
Type: HeaderVar
Name: SSO_SIEBEL_USER
Attribute: uid
7.
In the Authorization Rules, choose Allow Access page of the policy domain, select the
Oracle Access Manager/Siebel users to whom you want to grant access to the resources that are
protected by the policy domain.
2) Click the Access System Console Link and login using example: oamadmin/oamadmin:
Oracle Corporation
9/18/2014
If a shared environment is used it is possible that someone has already setup an Access Gate for
your VCAP machine name. First click the AccessGate Configuration and search for an
AccessGate with your machine name.
Note: Hitting Go on the right of the screen(scroll right) without specifying any search criteria
will return all AccessGate configurations for this Access Server .
If the search returns an AccessGate with your machine name, click the name of the AccessGate
and verify the settings with the following steps in this section of the
Oracle Corporation
9/18/2014
After clicking an existing AccessGate configuration, the Modify and List Access Servers
buttons at the bottom of the existing AccessGate configuration page will allow you modify the
settings mentioned below if necessary.
If one does NOT exist with your machine name, click the Add New Access Gate click to create
one.
Oracle Corporation
9/18/2014
Oracle Corporation
9/18/2014
CachePragmaHeader: no-cache
CacheControlHeader: no-cache
Click the Save button at the bottom the page to save your new Access Gate Configuration.
Note: You will receive an error message stating that this configuration is not associated with an Access
Server.
Oracle Corporation
9/18/2014
Click the List Access Servers button at the bottom of the page to associate this Access Gate
Configuration with the TS Lab Access server.
Oracle Corporation
9/18/2014
Click Add to receive this screen showing the Access server has been added to the AccessGate
Configuration.
Oracle Corporation
9/18/2014
10
9/18/2014
11
If your Siebel Web Server host name NOT exist, Please click add.
NOTE: If your host name exists, move on to the WebGate Installation below.
Enter the Siebel web server FQDN in the name and Hostname Variations:
eg) Sdcr710i006c.us.oracle.com Click the + next to Hostname Variations.
Add an entry for just the hostname of the Siebel web server machine.
Click Save
Oracle Corporation
9/18/2014
12
Oracle Corporation
9/18/2014
13
III. Installing the web gate plug-in on the Siebel web server.
(Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_WebGate.exe)
Click Next
Oracle Corporation
9/18/2014
14
Oracle Corporation
9/18/2014
15
Oracle Corporation
9/18/2014
16
Oracle Corporation
9/18/2014
17
Oracle Corporation
9/18/2014
18
ClickNext.
Oracle Corporation
9/18/2014
19
The entries above tell this WebGate plug-in to use the the Access System Console AccessGate
Configuration
that was completed earlier in section I .
WebGateID: <Is the name of the AccessGate setup earlier> eg sdcdl383i098
Password for WebGate: <password used in the AccessGate Configuration> eg. siebel
Access Server ID : <name of the Access Server> eg. sdctslab_AccessSrvr1(lab access server)
Hostname for the Access Server: <FQDN host of the Access Server> eg.
sdcr710i001n.us.oracle.com
Access Server Port: <Port of the Access server > eg. 6021 which is the default Access Srvr port.
Click Next :
Oracle Corporation
9/18/2014
20
Continue clicking Next button on the setup wizard until the install is Complete.
As stated in the above screen shot, restart the IIS Admin service after finishing the installation
of the WebGate.
IV. Confirm the installation of the web gate plug-in on the Siebel web
server.
After the webserver (IIS) restart, confirm the webGate installation was successful using the
following template URL for the Siebel web server:
http(s)://host:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
In this case, it would be:
Oracle Corporation
9/18/2014
21
Click the My Policy Domains link to access the Siebel Policy domain that has been setup for
the TS Labs.
Click the Siebel link to access the configuration of this policy domain.
Oracle Corporation
9/18/2014
22
Click the Resource tab to view the current resources that this policy domain is protecting. This
tab shows what web servers and URLs that are protected by this Siebel policy domain. In this
example, this policy is protecting any URL(Url Prefix= /) for the sdcdl383i091.corp.siebel.com
web server host machine. It is possible to protect a particular virtual directory instead of the
whole web server by specifying a URL prefix like /callcenter_enu.
Note: Once Resource rule(s) are created they can not be modified.
In order to change an existing resource rule, you have to delete it and create a new one.
To delete an existing rule(s)
Click the check box next to the rule and then click the delete button:
Oracle Corporation
9/18/2014
23
Select the Host identifier for your web server machine that was created earlier in these steps.
Enter the appropriate Url Prefix(if necessary). In the example below, I am protecting the
finsebanking_enu virtual directory on this web server. If this value is left blank, all URLs on the
web server are protected. Remember you can create multiple resource rules for the same web
server. This makes it possible to protect specific virtual
directories on the web server. Click the Save button to save the rule.
Oracle Corporation
9/18/2014
24
Oracle Corporation
9/18/2014
25
Oracle Corporation
9/18/2014
26
Oracle Corporation
9/18/2014
27
Oracle Corporation
9/18/2014
28
If you do not receive this dialog box, please check the previous steps in this document and also
ensure that you have restarted the IIS admin service.
Oracle Corporation
9/18/2014
29
Oracle Corporation
9/18/2014
30
Oracle Corporation
9/18/2014
31
Configuring the LDAPSecAdpt and OM for Oracle Access Manager SSO authentication.
Enter the following values for the Oracle Access Manager LDAP directory.
Server Name: 10.217.30.136 or sdcr710i001n.us.oracle.com
BaseDn: ou=people,dc=corp,dc=siebel,dc=com
ApplicationUser: uid=appuser,ou=people,dc=corp,dc=siebel,dc=com
ApplicationPassword: appuser
SharedCredentialsDn: uid=sharedcredentials,ou=people,dc=corp,dc=siebel,dc=com
CredentialsAttributeType: mail (username=sadmin password=sadmin)
UserNameAttributeType: uid
Propagate Change: False(turns off LDAP update from the Siebel application)
Single Sign On: True
Trust Token : HELLO (This value must match TrustToken in the SWSE application section)
User Name Attribute Type: uid (attribute in the LDAP directory that contains Siebel username).
Oracle Corporation
9/18/2014
32
Oracle Corporation
9/18/2014
33
Click the Parameters tab in the lower applet. Query for Sec* and set Value on Restart to
values below.
While we are here, lets turn on security adapter logging in case errors occur or we want to
confirm that the security adapter is in fact being used. Click the Events tab. Query for Sec*
again (if necessary) and set the values below.
Oracle Corporation
9/18/2014
34
Oracle Corporation
9/18/2014
35
Siteminder: ERP Agent for Siebel (also known as Web Agent) and the Siteminder Policy Server
are used to get the User Identity in the form of a HTTP Header variable called SIEBELUSER and
the SSO Authentication Ticket. Keep the Siteminder ERP Agents running on Siebel Web Server
'as-is'.
Siteminder: For customers who have implemented Siteminder SSO with Siebel, it is important
to note that the custom security adapter cannot be used for Siebel - BIP Reports integration.
Siteminder: An extra '//' in a URL being passed to Siebel, which gets blocked by Siteminder not
meeting http://tools.ietf.org/html/rfc2397 Oracle has fixed this issue as of 8.1.1.9/8.2.2.2. As a
workaround one can configure a special parameter called BadQueryChar in Siteminder and
specify a single or multiple characters that are considered bad in an HTTP request.
Oracle Corporation
9/18/2014
36