You are on page 1of 49

CA SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide For UNIX Version 1.6 (Rev 1.

1) December 2008

eTrust™ SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX

CA Inc. Solution Engineering Team 100 Staples Drive Framingham, MA 01702 Phone: (508) 628-8000 http://www.ca.com/ © 2006 CA, Inc. All trademarks, trade names, service marks and logos referenced herein belong to their respective companies. Netegrity, Inc. is a wholly-owned subsidiary of CA, Inc. eTrust™ SiteMinder® products and associated documentation are protected by copyright and are distributed under a licensing agreement. CA Inc. has prepared this document for use by CA personnel, licensees, and customers. The information contained herein is protected by copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronic, mechanical, photocopying, optical magnetic, or otherwise, without prior written permission from CA. CA reserves the right to, without notice, modify or revise all or part of this document and/or change product features or specifications. This document is provided “AS IS” without warranty of any kind, either express or implied, and is subject to change without notice by CA. CA assumes no responsibility for any errors or omissions contained herein or in any products, documents or material referenced herein. In no event shall CA be liable for any direct, indirect, incidental, punitive or consequential damages of any kind resulting from the contents of this document or any representations made herein. Questions, Queries & Comments should be emailed to bhanu.sareddy@ca.com This is not a support mailbox, so support issues should not be directed here.

2

eTrust™ SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX Contents INTRODUCTION ....................................................................................................................................................................................4 PREREQUISITES ...................................................................................................................................................................................4 SITEMINDER AND ORACLE AS ARCHITECTURE .............................................................................................................................5

SiteMinder Two-Tier Single Sign-On Solution with the Oracle PL/SQL Authentication Package ............. 6 SiteMinder Two-Tier Single Sign-On Solution with the OC4J Security Authentication Interface .............. 7 Single Sign-On and Sign-Off Session Management ................................................................................. 8
SITEMINDER CONNECTOR IMPLEMENTATION WITH THE ORACLE PL/SQL AUTHENTICATION PACKAGE............................8

SiteMinder Oracle AS Connector without a Proxy Agent .......................................................................... 9 SiteMinder Oracle AS Connector with a Proxy Agent ............................................................................. 10
SITEMINDER CONNECTOR IMPLEMENTATION WITH THE OC4J SECURITY AUTHENTICATION INTERFACE........................11 PRE-INSTALLATION ...........................................................................................................................................................................12

Install and Configure Oracle AS .............................................................................................................. 12 Install and Configure the SiteMinder Web Agent for the Oracle HTTP Server ....................................... 12 Install and Configure the SiteMinder Policy Server ................................................................................. 12
SOFTWARE INSTALLATION FOR UNIX ............................................................................................................................................13

Installation Files ....................................................................................................................................... 13 Install the Oracle AS Connector Software ............................................................................................... 13
INSTALLATION OPTION 1: CONNECTOR WITH THE ORACLE PL/SQL AUTHENTICATION PACKAGE ....................................14

Install the Oracle AS Connector in the Oracle Database ........................................................................ 14 Install the PL/SQL Package, wwsso_auth_external in the Oracle Single Sign-on Database ................. 18
INSTALLATION OPTION 2: CONNECTOR WITH THE OC4J SECURITY AUTHENTICATION INTERFACE ..................................21

Install the OC4J Security Authentication Interface .................................................................................. 21
CONFIGURATION FOR UNIX .............................................................................................................................................................23

Configure the SiteMinder Policies for the Oracle AS Connector and Proxy Agent ................................. 23 Configure a SiteMinder Agent for the Oracle AS Connector and Proxy Agent ................................... 23 Configure a SiteMinder Agent Group for the Oracle AS Connector and Proxy Agent ........................ 23 Configure a SiteMinder Policy Domain for the Oracle AS Connector and Proxy Agent ...................... 25 Configure a SiteMinder Realm for the Oracle AS Connector and Proxy Agent .................................. 26 Configure a SiteMinder Rule for the Oracle AS Connector and Proxy Agent ..................................... 27 Configure another SiteMinder Realm for the Oracle AS Connector and Proxy Agent ........................ 28 Configure another SiteMinder Rule for the Oracle AS Connector and Proxy Agent ........................... 29 Configure a SiteMinder Response for the Oracle AS Connector and Proxy Agent ............................ 30 Configure a SiteMinder Policy for the Oracle AS Connector and Proxy Agent ................................... 32 Configure the Oracle AS Connector and Proxy Agent ............................................................................ 36 Configure the Oracle HTTP Server for the PL/SQL Authentication Package ......................................... 41
SITEMINDER ORACLE AS CONNECTOR PROXY AGENT STARTUP ............................................................................................43

3

eTrust™ SiteMinder Connector for Oracle Solutions Architecture, Installation and Configuration Guide - UNIX POST INSTALLATION .........................................................................................................................................................................46 TROUBLESHOOTING .........................................................................................................................................................................47

SiteMinder Oracle AS Connector Logging .............................................................................................. 47 SiteMinder Oracle AS Proxy Agent Logging ........................................................................................... 48 SiteMinder Technical Support ................................................................................................................. 48

4

4 . The SiteMinder Oracle Single Sign-On Connector enables SiteMinder to extend single sign-on to the Oracle Application Server and Portal. As a result. and Operating Systems. Installation and Configuration Guide . and configuration of the SiteMinder Oracle Single Sign-On Connector. Go to http://support. Prerequisites The platform support matrix lists all combinations of supported. Unfortunately.com to view the matrix. many ERP customers have turned to eTrust SiteMinder to provide access control and single sign-on across all their applications in the enterprise.UNIX Introduction The Oracle Application Server (Oracle AS) provides security and single sign-on (SSO) for Oracle business applications deployed over the Internet. including various ERP solutions. it does not easily extend this security and/or single sign-on to other enterprise applications.ca. Web Agents. Agents for Oracle Application Server.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. installation. The purpose of this document is to provide information regarding the architecture.

It can delegate single sign-on authentication to a third party product. 10. Delegation can be accomplished in either of the two following ways: 1. The agent by means of the policy server will authenticate the session for single sign-on. IPASAuthInterface . The SiteMinder policy server then validates the session. Whenever authentication is required. The Oracle Single Sign-On Server is implemented as an Apache module that is part of the Oracle HTTP Server. the connector can validate the user’s session where it was originally generated. the Oracle Single Sign-On Server requests the Oracle database to execute the PL/SQL method. Or by implementing the third party single sign-on OC4J Security Interface named. but does not perform authorization. 5 . But in Oracle AS 10G (Release2. Because SiteMinder initially authenticates the user.UNIX SiteMinder and Oracle AS Architecture The SiteMinder Oracle connector offers a two-tier single sign-on solution for the Oracle AS and Portal environment. The connector is an agent that communicates with the SiteMinder policy server to validate a SiteMinder session.x) the delegation is possible only through the OC4J Security Interface. at the SiteMinder policy server.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.2. delegation is possible in either of the above two ways. wwsso_auth_external. wwsso_auth_external. Oracle AS will authorize the user for the Oracle business applications.0. Installation and Configuration Guide . Whenever authentication is required. 2.1. The point of sign-on trust is transferred from the Oracle Single Sign-On Server to the SiteMinder policy server. the 9. The SiteMinder Oracle AS connector will validate a SiteMinder session on behalf of the Oracle Single Sign-On Server by communicating with the SiteMinder policy server.4). authenticate that is implemented by the IPASAuthInterface. By implementing the third party single sign-on PL/SQL package named. like SiteMinder. In Oracle AS 9i and 10G (Release 1. authenticate_user that is implemented in the PL/SQL package. the Oracle Single Sign-On Server requests the OC4J security container to execute the method.

If the session is valid the connector will compare the user id identified by the policy server for the session with the user id presented by the Oracle Single Sign-On Server at single sign-on time. If not. authenticate_user is implemented to invoke the SiteMinder Oracle AS connector to validate the SiteMinder session back at the policy server where it was generated.UNIX SiteMinder Two-Tier Single Sign-On Solution with the Oracle PL/SQL Authentication Package The SiteMinder Oracle AS connector implements a two-tier single sign-on solution. The connector communicates with the policy server to validate the session. the single sign-on is denied. The SiteMinder web agent installed on the Oracle HTTP Server sets the SiteMinder session after successful login to SiteMinder. If the user ids are the same.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. 6 . The point of sign-on trust moves away from the Oracle Single Sign-On Server and to the SiteMinder policy server. This two-tier single sign-on solution is shown in the diagram below. the Oracle Single Sign-On Server will delegate trusting the user’s session to the SiteMinder Oracle AS connector through the implementation of the method. The Oracle Single Sign-On server will present the header variables that represent the SiteMinder session to the PL/SQL package. Installation and Configuration Guide . The method. authenticate_user in the PL/SQL Authentication package. and the authenticate_user method will call the SiteMinder Oracle AS connector to validate the SiteMinder session. the single sign-on is allowed. The SiteMinder session is set as an encrypted HTTP cookie and header variables. wwsso_auth_external. If the Oracle Authenticate PL/SQL package is implemented and installed in the database.

The method.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. i. authenticate is implemented to invoke the SiteMinder Oracle AS connector to validate the SiteMinder session back at the policy server where it was generated.e. the authenticate method. IPASAuthInterface. If the session is valid the connector will compare the user id identified by the policy server for the session with the user id presented by the Oracle Single Sign-On Server at single sign-on time.UNIX SiteMinder Two-Tier Single Sign-On Solution with the OC4J Security Authentication Interface If the OC4J Security Authenticate Interface is implemented and installed. the Oracle Single Sign-On Server will delegate trusting the user’s session to the SiteMinder Oracle AS connector through the implementation of the method. If the user ids are the same. authenticate in the OC4J Security Authentication Interface. The connector communicates with the policy server to validate the session. The Oracle Single Sign-On server will present the all request header variables to the OC4J Security Authentication interface. If not. This method is implemented to call the SiteMinder Oracle AS connector to validate the SiteMinder session. This two-tier single sign-on solution is shown in the diagram below. the single sign-on is allowed. the single sign-on is denied. 7 . Installation and Configuration Guide . The SiteMinder session is set as an encrypted HTTP cookie and header variables. The SiteMinder web agent installed on the Oracle HTTP Server sets the SiteMinder session after successful login to SiteMinder.

The connector provides single sign-on while the Session Linker provides single sign-off. One of the main security problems when integrating applications that maintain their own sessions is the possibility SiteMinder and application sessions may not remain synchronized as the user logs in and out of each application. For this reason.UNIX Single Sign-On and Sign-Off Session Management Many Internet applications use independent session management schemes. This is especially true when there is more then one ERP application in the environment. authenticate_user in the PL/SQL package. PL/SQL will alert a listener process that spawns a session specific process named extproc. the extproc process remains active throughout the PL/SQL session. The PL/SQL will make external function calls to the external shared library. for more information about the SiteMinder Session Linker. The extproc process loads the library and runs the external routine and passes any return values to PL/SQL. the SiteMinder Session Linker. To run external routines in a shared library. Its purpose is to manage and synchronize independent application sessions with the SiteMinder session. The user is logged out of all the applications in the environment tied to the SiteMinder session. The shared library is coded with the C programming language and uses the SiteMinder Agent API. name of the external routine and parameters to the extproc process. SmSSOSessionVerify in the shared library to validate a SiteMinder session. After the external routine completes. The eTrust SiteMinder Oracle AS connector in conjunction with the SiteMinder Session Linker provides single sign-on and sign-off to Oracle AS. SiteMinder’s replay prevention and session management logic is sometimes bypassed. Installation and Configuration Guide . wwsso_auth_external will call the function. Thus. the SiteMinder session is no longer valid and the other application sessions tied to the SiteMinder session are not valid either. The SiteMinder Session Linker is a web server plug-in that monitors the SiteMinder session and Oracle AS session. wwsso_auth_external. the user is challenged to login until a new session with an application is established.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. 8 . It links the SiteMinder session to all the other application sessions in the environment including the Oracle AS session. Thus when a user logs out of one application. More specifically the method. as well as other ERP application sessions. but still the session information is independent and decrypted differently between vendors and Internet applications. Each ERP application will manage its own session independent of the other application’s session management. The listener will hand the connection to the extproc process and PL/SQL will pass the name of the shared library. The connector can communicate directly with the policy server or communicate with the policy server via a proxy agent. SiteMinder Connector Implementation with the Oracle PL/SQL Authentication Package The SiteMinder Oracle AS connector is a SiteMinder agent that communicates with the policy server to validate a SiteMinder session. The most common session management scheme is through the use of a cookie. Refer to the document. When the application sessions diverge from the SiteMinder session. The connector receives user session validation requests from Oracle PL/SQL package. Netegrity Professional Services Session Linker Administrator Guide. The SiteMinder Oracle AS connector includes another software component. it is implemented as an external shared library.

it is recommended that the connector always use the Oracle AS connector proxy agent to communicate with the policy server whenever possible. instead of the connector directly communicating with the policy server to validate the session. each connector opens a connection to the policy server to service a user session validation request. Thus. Thus. Also the agent load balancing to policy servers is not used. not in the DMZ. The connector will communicate with the policy server over a TCP socket. An agent connection is established with the policy server for each session validation request. since each connector only processes one session validation request. PL/SQL will load the connector for each user login. In addition each connector cannot support load balancing between multiple policy servers. For this reason. This is not efficient and very expensive. In this model. When the Oracle AS connector proxy agent is not used.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. For this reason. The connector and policy server may reside on different systems in the internal network. since each login request opens its own agent connection to the policy server and makes a single session validation request. each user login spawns its own separate process to load the library and validate the session. Installation and Configuration Guide . 9 . A great deal of time is spent establishing and closing connections with the policy server. it is recommended to always use the Oracle AS connector with the Oracle AS connector proxy agent. This is a result of how PL/SQL calls external routines in an external library. each connector only handles one session validation request. Agent connections with the policy server are opened and closed for each login request. each connector acts as an agent that opens a connection to the policy server to make a single user session validation request as opposed to reusing the connections already established to the policy server to make multiple session validation requests of the policy server. As a result.UNIX Each PL/SQL session spawns its own extproc process and to load the shared library and call the external routines in the library. SiteMinder Oracle AS Connector without a Proxy Agent The diagram below shows the SiteMinder Oracle AS Connector without the Oracle AS Proxy Agent. Notice in the diagram that each Oracle client login will load the Oracle AS connector and it will exist through out the client’s session.

but the agent proxy will handle multiple session validation requests with the policy server on behalf of the connectors. These connections remain open and are reused among the connectors. the connector will fail over to communicating directly with the policy server for its user session validation request. In this model. The proxy agent communicates with the policy server to service user session validation requests on behalf of the connector.UNIX SiteMinder Oracle AS Connector with a Proxy Agent The diagram below shows the SiteMinder Oracle AS Connector with the Oracle AS Proxy Agent. Thus the connector and proxy agent must reside on the same system. Installation and Configuration Guide . the connectors still handle one session validation request. This model will support load balancing the user session validation requests between multiple policy servers. each Oracle client login will still load the Oracle AS connector and it will exist throughout the client’s session. As shown in the diagram. The connector and the proxy agent communicate via a named stream pipe on the same system. not in the DMZ. The session validation requests use connections already established between the proxy agent and the policy server from a pool of connections. If the proxy agent is unavailable to handle session validation requests for the connector. The proxy agent opens connections to the policy server and communicates over TCP sockets. but each connector opens a connection to the Oracle AS Proxy Agent to service user session validation requests. The proxy agent and policy server may reside on different systems in the internal network.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. This model does not open an agent connection with the policy server for each session validation request. 10 .

when the Oracle AS connector is used with the OC4J Security Authentication Interface. The connector receives user session validation requests from OC4J Security Authentication Interface. authenticate in the interface implementation will call the function in the shared library to validate a SiteMinder session. Important Note: On HPUX operating systems. the OC4J Security Authentication Interface. it is not necessary for the connector to use the Oracle AS connector proxy agent to communicate with the policy server. The connector can communicate directly with the policy server or communicate with the policy server via a proxy agent. despite multiple user session validation calls. For this reason when the Oracle AS connector is used with the OC4J Security Authentication Interface. To run external routines in a shared library. The difference is that OC4J Security Authentication Interface runs is the Oracle Application Server containers for J2EE applications. The OC4J Security Authentication Interface implementation will make external function calls to the external shared library. it is required for the connector to use the Oracle AS connector proxy agent to communicate with the policy server. The Oracle Application Server containers for J2EE applications will load the IPASAuthInterface only once despite the multiple invocations for user logins. IPASAuthInterface runs is the Oracle Application Server containers for J2EE applications will load the library. 11 .eTrust™ SiteMinder Connector for Oracle Solutions Architecture.UNIX SiteMinder Connector Implementation with the OC4J Security Authentication Interface The SiteMinder Oracle AS connector functions in the same way as described with the PL/SQL Authentication package. The connector is implemented as an external shared library. The connector can communicate directly with the policy server to validate the session or optionally the connector can use the Oracle AS connector proxy agent. Thus the SiteMinder Oracle AS connector library is loaded once. IPASAuthInterface. Installation and Configuration Guide . The shared library is coded with the C programming language and uses the SiteMinder Agent API. More specifically the method. as opposed to a PL/SQL package that runs in the database.

as well as configuring the SiteMinder policies for the Oracle AS environment. Install and Configure the SiteMinder Web Agent for the Oracle HTTP Server Install and configure the SiteMinder Apache Web Agent on the Oracle HTTP Server. SiteMinder Policy Server Installation Guide. The Oracle AS environment will most likely use an Oracle Database or Oracle Internet Directory as a user store.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. to allow users access to all the resources in the realm. To setup an authentication scheme for a SiteMinder Policy Server. Install and Configure the SiteMinder Policy Server Install the SiteMinder Policy Server in the Environment To install a SiteMinder Policy Server. This is a SiteMinder Apache Web Agent. refer to SiteMinder Policy Design Guide. refer to the document. Configure the SiteMinder User Directory Configure the policy server for the user directory in the environment. if it does not already exist. refer to SiteMinder Policy Design Guide. To install and configure a SiteMinder Web Agent. Users are only granted access to the resources when the rules and users are added to a SiteMinder policy.UNIX Pre-Installation The Oracle AS and SiteMinder environments are installed and configured before the SiteMinder Oracle AS connector is installed and configured. Configure the SiteMinder Policies for the Policy Domain Setup the policies for the Oracle AS environment. This is an LDAP directory or ODBC database. To setup a policy domain for a SiteMinder Policy Server. Install and Configure Oracle AS Install and configure Oracle AS in the environment. refer to SiteMinder Policy Design Guide. Configure the SiteMinder Web Agent for the Oracle HTTP Server Configure the policy server for the web agent that is installed on the Oracle HTTP Server. refer to SiteMinder Policy Design Guide Configure the SiteMinder Policy Domain Setup a policy domain for the Oracle AS environment. This includes installing the SiteMinder Web Agent for the Oracle HTTP Server and the SiteMinder Policy Server. the SiteMinder Web Agent Installation Guide and SiteMinder Web Agent Guide. to use the user directory in the chosen environment. Generally for the Oracle AS environment a protected realm is setup to protect all the resources in the /pls/orasso directory and rules are created to grant users access to the resources in the directory. refer to the following documents. 12 . Installation and Configuration Guide . Sometimes the rule is set with a wildcard *. refer to SiteMinder Policy Design Guide. . Configure the SiteMinder Authentication Scheme Setup an authentication scheme for the environment. To configure a SiteMinder Policy Server for a SiteMinder Apache Web Agent. This is usually Form Login or Basic Authentication with a username and password. To setup the policies for a SiteMinder Policy Server. To configure a SiteMinder Policy Server.

so $ORACLE_HOME/siteminder/oracle10g/lib/libsmagentapi. The tar file containing the installation files is extracted as the Oracle AS user under the ORACLE_HOME directory. A sample configuration is shipped with the installation files. Installation and Configuration Guide .conf $ORACLE_HOME/siteminder/oracle10g/conf/test. The Oracle AS user must own the directory. the tar file can be extracted in a different directory than the ORACLE_HOME directory The Oracle AS user must own the directory and an environment variable named SM_HOME is defined for the directory. Use the following UNIX commands to login as the Oracle AS user. then the Oracle AS user must own the directory and an environment variable named SM_HOME is set for the directory. If a different directory is desired.UNIX Software Installation for UNIX The SiteMinder Oracle AS connector is shipped as shared library for UNIX.conf $ORACLE_HOME/siteminder/oracle10g/logs $ORACLE_HOME/siteminder/oracle10g/docs $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.so $ORACLE_HOME/siteminder/oracle10g/bin/smoraclessoproxy $ORACLE_HOME/siteminder/oracle10g/bin/NDSEncrypt $ORACLE_HOME/siteminder/oracle10g/bin/smoracleiaslogintest $ORACLE_HOME/siteminder/oracle10g/bin/headers $ORACLE_HOME/siteminder/oracle10g/bin/headers-perl $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent. A SiteMinder Oracle AS Connector Test Tool is also provided with the installation. Use the following UNIX commands to install the Oracle AS connector in a directory other than ORACLE_HOME. change directory to the ORACLE_HOME and extract the installation files. Login to the Oracle AS system as the Oracle AS user Change directory to the ORACLE_HOME directory $ cd $ORACLE_HOME Extract the installation files $ tar –xvf smoracleiasconnector. The SiteMinder Oracle AS Proxy Agent is shipped as an executable for UNIX.tar If desired. The connector and proxy agent require an agent configuration file. Installation Files Product SiteMinder Oracle AS Connector SiteMinder Agent API Library SiteMinder Oracle AS Proxy Agent SiteMinder Encryption Tool SiteMinder Oracle AS Test Tool CGI Script Echoes Headers Perl Script Echoes Headers Connector Configuration File Connector Test Script File Log Files Documentation Files Connector SQL Install Script Oracle PL/SQL Authentication Package Oracle PL/SQL Authentication Package OC4J Security Authentication Interface Classes Installation File $ORACLE_HOME/siteminder/oracle10g/lib/libsmoracleiasloginlib.pkb $ORACLE_HOME/siteminder/oracle10g/plsql/ssotokenneteconnector.pkb $ORACLE_HOME/siteminder/oracle10g/java/netegrity/security/ssoplugin Note: The installation files are extracted in the ORACLE_HOME directory for Oracle AS.sql $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector. Install the Oracle AS Connector Software The installation files are distributed as a tar file.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. 13 .

sql REM Create or Replace the SiteMinder Oracle IAS Connector Library REM Replace /space/oraAS90201/oraAS with your system's ORACLE_HOME CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib. to set the SM_HOME environment variable . Install the Oracle AS Connector in the Oracle Database Login to the Oracle AS system as the Oracle AS user Edit the SQL script $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.1.sql Note: If the installation directory is different than the ORACLE_HOME directory.profile file Change directory to the SM_HOME directory $ cd $SM_HOME Extract the installation files $ tar –xvf smoracleiasconnector.Logging out and in again will run the . Installation and Configuration Guide .eTrust™ SiteMinder Connector for Oracle Solutions Architecture. to install the Oracle AS Connector in the Oracle Database.UNIX Login to the Oracle AS system as the Oracle AS user Edit the . Use the following steps.profile Add a line in the . in order for the PL/SQL package named.tar Installation Option 1: Connector with the Oracle PL/SQL Authentication Package (This is deprecated for Oracle 10G Release 2:10. replace $ORACLE_HOME with $SM_HOME $ vi $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.e.so'.profile file $ vi . The Oracle AS Connector is installed in the database as an external library. wwsso_auth_external to make external calls to the functions in the library.x version) This installation option is used for Oracle AS 9i or 10G. i.profile file to create an environment variable named SM_HOME for the installation directory export SM_HOME=<installation directory path> For example: export SM_HOME= /space/oraAS90201/smoraclessoconnector Logout and Login to the Oracle AS system as the Oracle AS user again.2. then edit the SQL script in the $SM_HOME directory. / REM Create or Replace the SiteMinder Oracle IAS Connector Library Functions 14 .

nLogLevel INT. lpszLogFilename STRING. lpszLogFilename IN VARCHAR2. lpszIniFilename STRING. Installation and Configuration Guide . lpszErrFilename STRING. lpszErrFilename STRING. nLogLevel IN PLS_INTEGER ) return PLS_INTEGER AS EXTERNAL LIBRARY SMORACLEIASSSOLOGIN_C_LIB NAME "SmSSOSessionTokenVerify" LANGUAGE C PARAMETERS ( lpszSSOuid STRING. lpszIniFilename IN VARCHAR2. lpszIniFilename IN VARCHAR2. lpszSessionSpec STRING. nTimeout INT.UNIX CREATE OR REPLACE FUNCTION SmSSOSessionVerify ( lpszSSOuid IN VARCHAR2. lpszIniFilename STRING. / 15 . RETURN ). RETURN ). lpszSessionId STRING. lpszSessionSpec IN VARCHAR2. / REM Create or Replace the SiteMinder Oracle IAS Connector Library Functions CREATE OR REPLACE FUNCTION SmSSOSessionTokenVerify ( lpszSSOuid IN VARCHAR2. lpszSessionId STRING. lpszLogFilename IN VARCHAR2. lpszErrFilename IN VARCHAR2. nTimeout IN PLS_INTEGER. nTimeout INT. nLogLevel IN PLS_INTEGER ) return PLS_INTEGER AS EXTERNAL LIBRARY SMORACLEIASSSOLOGIN_C_LIB NAME "SmSSOSessionVerify" LANGUAGE C PARAMETERS ( lpszSSOuid STRING. lpszErrFilename IN VARCHAR2. lpszSessionId IN VARCHAR2. nTimeout IN PLS_INTEGER. lpszSessionId IN VARCHAR2. nLogLevel INT. lpszLogFilename STRING.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.

SmSSOSessionVerify. Installation and Configuration Guide . nLogLevel IN PLS_INTEGER ) return PLS_INTEGER AS EXTERNAL LIBRARY SMORACLEIASSSOLOGIN_C_LIB NAME "SmSSOTest" LANGUAGE C PARAMETERS ( lpszScriptFilename STRING. nIterations INT. commit. / GRANT EXECUTE ON system.so '.SmSSOSessionTokenVerify. CREATE PUBLIC SYNONYM SmSSOSessionVerify FOR system. Edit the following line in the beginning of the SQL Script CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib.SmSSOTest TO PUBLIC. Replace /space/oraAS90201/oraAS with your system’s ORACLE_HOME directory Replace /space/oraAS90201/oraAS with your system’s SM_HOME directory. lpszIniFilename IN VARCHAR2. GRANT EXECUTE ON system. nIterations IN PLS_INTEGER. RETURN ). use the UNIX command $ echo $ORACLE_HOME To determine your system’s SM_HOME directory. lpszIniFilename STRING. nThreads IN PLS_INTEGER. nLogLevel INT.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.SmSSOSessionVerify TO PUBLIC. CREATE PUBLIC SYNONYM SmSSOSessionTokenVerify FOR system. GRANT EXECUTE ON system. nThreads INT.SmSSOSessionTokenVerify TO PUBLIC. On the line: AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib. use the UNIX command $ echo $SM_HOME For example: $ echo $ORACLE_HOME 16 . lpszLogFilename STRING. only if you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME To determine your system’s ORACLE_HOME directory. CREATE PUBLIC SYNONYM SmSSOTest FOR system.UNIX REM Create or Replace the SiteMinder Oracle IAS Connector Library Functions CREATE OR REPLACE FUNCTION SmSSOTest ( lpszScriptFilename IN VARCHAR2.SmSSOTest.so '. lpszErrFilename STRING. lpszErrFilename IN VARCHAR2. lpszLogFilename IN VARCHAR2.

Enter user-name: system Enter password: Connected to: Oracle9i Enterprise Edition Release 9.Production Execute the SQL Script HPUX systems: SQL>Start $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.3.1.sql Login to SQL*PLUS as the Database System Manager $ sqlplus SQL*Plus: Release 9.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. To CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/opt/oracle/oraAS/siteminder/lib/oracle10g/libsmoracleiasloginlib.0.1.sql Other UNIX systems: SQL>@$ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.3.so '.Production With the Partitioning option JServer Release 9.sql If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME. Save the changes to the SQL script $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector. SQL>@$SM_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.sql If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME.0 .UNIX /opt/oracle/oraAS Change the lines in the file: CREATE OR REPLACE LIBRARY SMORACLEIASSSOLOGIN_C_LIB AS '/space/oraAS90201/oraAS/siteminder/oracle10g/lib/libsmoracleiasloginlib. install the library in the database with the command below. Installation and Configuration Guide . SQL>Start $SM_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.3.so '.1.sql 17 .Production on Wed Nov 6 12:00:11 2002 (c) Copyright 2001 Oracle Corporation.0 .0. All rights reserved. install the library in the database with the command below.0.0 .

l_sessionid := OWA_UTIL.Check SSO user for Glodal Separator IF ((l_user IS NULL) OR (INSTR(l_user. wwsso_auth_external in the Oracle Single Sign-on Database The PL/SQL Package.GET_CGI_ENV (g_sm_sessionid_http). FUNCTION authenticate_user (p_user OUT VARCHAR2) return PLS_INTEGER IS l_result l_uid l_sessionid l_sessionspec PLS_INTEGER VARCHAR2(4096) VARCHAR2(4096) VARCHAR2(4096) := -1. The PL/SQL Package is shown below.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. CONSTANT PLS_INTEGER CONSTANT PLS_INTEGER := 60. BEGIN -. l_user := l_uid.user_name%type := NULL. IF ((l_result = 0) AND ((l_uid IS NULL) OR (l_sessionid IS NULL) OR (l_sessionspec IS NULL))) THEN l_result := -1.Read Header SiteMinder SSO uid and session Header Variables l_uid := OWA_UTIL. It may be customized as required. Rem This is just a default implementation and changes might be required based on customer's specific deployment scenario.GET_CGI_ENV (g_oracle_user_http). ELSE l_result := 0. := NULL.pkb Rem NAME Rem ssoxneteconnector. := NULL.Single Sign-On Netegriry SiteMinder Integration Rem Rem DESCRIPTION Rem This package body is used to achieve integration with NetegritySiteMinder.conf'. g_separator) != 0)) THEN l_result := -1. l_sessionspec := OWA_UTIL.pkb Rem .err'. l_user wwsec_person. CONSTANT VARCHAR2(1000) := 'HTTP_SM_SERVERSESSIONSPEC'. END IF. -. Installation and Configuration Guide . CONSTANT VARCHAR2(4096) := '$ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent. CONSTANT VARCHAR2(4096) := '$ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasconnector. CONSTANT VARCHAR2(1000) := 'HTTP_SM_SERVERSESSIONID'. Rem ssoxneteconnector. CONSTANT VARCHAR2(1000) := 'HTTP_ORACLEIAS_USERNAME'. END IF. := NULL.UNIX Install the PL/SQL Package. CONSTANT VARCHAR2(4096) := '$ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasconnector. ELSE l_result := 0. wwsso_auth_external is installed in the ORASSO database as the ORASSO user. CREATE OR REPLACE PACKAGE BODY wwsso_auth_external AS g_separator g_sm_sessionid_http g_sm_sessionspec_http g_oracle_user_http g_inifilename g_errfilename g_logfilename g_timewait g_loglevel CONSTANT VARCHAR2(1000) := '~'. := 63. 18 .log'.GET_CGI_ENV (g_sm_sessionspec_http).

eTrust™ SiteMinder Connector for Oracle Solutions Architecture.cookie_list) AS BEGIN null. p_password IN VARCHAR2. END IF. RETURN l_result.g_logfilename. Installation and Configuration Guide . END IF.l_sessionspec. END map_dn_to_uid. END get_authentication_name. END.g_loglevel).Set Return SSO user IF (l_result = 0) THEN p_user := NLS_UPPER(l_user).g_errfilename. PROCEDURE set_external_cookies (p_username IN VARCHAR2.Handle All Errors EXCEPTION WHEN OTHERS THEN RAISE EXT_AUTH_FAILURE_EXCEPTION. -. ELSE RAISE EXT_AUTH_FAILURE_EXCEPTION.l_sessionid. 19 .g_timewait. -. / show errors.g_inifilename. FUNCTION get_authentication_name RETURN VARCHAR2 AS BEGIN RETURN 'Netegrity SiteMinder'.UNIX -. FUNCTION map_dn_to_uid(p_user_dn IN VARCHAR2) return VARCHAR2 IS BEGIN -.Verify the SiteMinder SSO uid and session IF (l_result = 0) THEN l_result := SMSSOSESSIONVERIFY (l_uid. return p_user_dn. END authenticate_user.NULL implementation by default raise EXT_AUTH_FAILURE_EXCEPTION. END set_external_cookies. p_cookie_list OUT wwsso_ls_private.

3.pkb 20 .1.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.pkb Other UNIX systems: SQL>@$ORACLE_HOME/siteminder/plsql/ssoxneteconnector.0 .Production Install the PL/SQL Package HPUX systems: SQL>Start $ORACLE_HOME/siteminder/plsql/ssoxneteconnector.0. All rights reserved.0. SQL>@$SM_HOME/siteminder/plsql/ssoxneteconnector. Enter user-name: orasso Enter password: Connected to: Oracle9i Enterprise Edition Release 9.pkb If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME.Production on Wed Nov 6 12:00:11 2002 (c) Copyright 2001 Oracle Corporation. to install the Oracle AS Connector in the Oracle Database.0. install the package in the database with the command below.3.Production With the Partitioning option JServer Release 9.0 .0 .3. Login to the Oracle AS system as the Oracle AS user Login to SQL*PLUS as the ORASSO user $ sqlplus SQL*Plus: Release 9. SQL>Start $SM_HOME/siteminder/plsql/ssoxneteconnector. install the package in the database with the command below.pkb If you installed the SiteMinder Oracle AS connector in a different directory than ORACLE_HOME.UNIX Use the following steps. Installation and Configuration Guide .1.1.

netegrity. Login to the Oracle AS system as the Oracle AS user Create the directory structure for the OC4J Security Authentication Interface package name.class NeteSSOLibrary. Also note that for Oracle 10G AS 10.1.ssoplugin under the Oracle AS Single Sign-On plug-in directory.class NeteSSOSessionTest. not both.class NeteSSOSession.properties NeteSSOSessionTest. Use the following steps. Installation and Configuration Guide .properties NeteSSO. $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin These are the OC4J Security Authentication Interface class files: NeteHttpRequestStub.class NeteTrace.properties NeteSSOTokenTest.properties 21 .security.x versions Installation option 2 will only work.class NeteSSOToken. Install the OC4J Security Authentication Interface All the OC4J Authentication Security Class file and Property Files in the Connector installation kit are copied to the Oracle AS Single Sign-On plug-in directory. $ORACLE_HOME/siteminder/oracle10g/java/netegrity/security/ssoplugin to the directory.class Copy all OC4J Security Authentication Interface Property files to the Oracle AS SSO Plug-in Directory.class NeteProperty. to install the OC4J Security Authentication Interface class files and property files.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.class NeteSSOTokenTest.UNIX Installation Option 2: Connector with the OC4J Security Authentication Interface This installation option is used for Oracle AS 10G AS only. $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin Copy all the class files in the installation directory.class Stat.2. $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin These are the OC4J Security Authentication Interface property files: NeteSSOLibraryTest. $ORACLE_HOME/sso/plugin cd $ORACLE_HOME/sso/plugin mkdir -p netegrity/security/ssoplugin Copy all OC4J Security Authentication Interface Class files in the installation directory to the Oracle AS SSO Plug-in Directory. $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin Copy all the properties files in the directory. Installation option 2 is recommended for Oracle 10G AS. $ORACLE_HOME/siteminder/oracle10g/java/netegrity/security/ssoplugin to the Oracle AS SSO Plug-in directory.class NeteSSOLibraryTest. Also only install option 1 or install option 2 is used.

$ORACLE_HOME/sso/conf named. The log files are written to files in the installation directory $ORACLE_HOME/siteminder/oracle10g/logs Edit the netesso. This is the library named. Use the Oracle Enterprise Manager Application.SSOServerAuth To MediumSecurity_AuthPlugin = netegrity.library entry with the directory path and library name for the connector.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.security.properties file vi policy.auth. 5. 7. Edit the OC4J Security Authentication Policies file in the Oracle AS SSO Configuration Directory.properties Edit the netesso.logfile entry with the directory path and filename for the connector log file.librarypath entry with the directory path for library name for the connector.properties that was copied to the Oracle AS SSO Plug-in Directory. This is the file named.properties file vi NeteSSO. 3.so installed in the directory path $ORACLE_HOME/siteminder/oracle10g/lib 2. 3. 4.NeteSSOSession 2.errfile entry with the directory path and filename for the connector error file. The error files are written to files in the installation directory $ORACLE_HOME/siteminder/oracle10g/logs Edit the netesso. $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin 1. 6. named NeteSSO.conf installed in the directory $ORACLE_HOME/siteminder/oracle10g/conf Edit the netesso. Change directory to the Oracle AS Plug-in directory cd $ORACLE_HOME/sso/plugin/Netegrity/security/sooplugin Edit the NeteSSO.sso. smoracleiasagent.security.properties Change the line in the file: MediumSecurity_AuthPlugin = oracle.server. Installation and Configuration Guide . libsmoracleiasoginlib. to Stop and Start the OC4J Security 22 .so installed in the directory $ORACLE_HOME/siteminder/oracle10g/lib Edit the netesso.properties 1. Change directory to the Oracle AS SSO configuration directory cd $ORACLE_HOME/sso/conf Edit the policy. libsmoracleiasloginlib.UNIX Edit the Netegrity Single Sign-On properties file. policy. This is the library named.inifile entry with the directory path and filename for the connector configuration file.ssoplugin.

To configure the agents. agent groups. Configure a SiteMinder Agent for the Oracle AS Connector and Proxy Agent Perform the following steps. Also an agent group is added to the SiteMinder Polices for the connector. domains. An example SiteMinder Agent entry for the connector and proxy agent is shown below. Also. refer to SiteMinder Policy Design Guide. responses and policies for a SiteMinder Policy Server. Configure a SiteMinder Agent Group for the Oracle AS Connector and Proxy Agent 23 .x Policy Server.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the Agent Type. rules. Enter the IP Address Name or Host Name for the Oracle AS system. SiteMinder Web Agent.x Agents box.UNIX Configuration for UNIX Configure the SiteMinder Policies for the Oracle AS Connector and Proxy Agent Use the SiteMinder Administration GUI to configure an agent. Select the System tab. to add an agent entry for the Oracle AS Connector and Proxy Agent in the SiteMinder policies. realm. An agent entry for the Oracle AS connector and proxy agent is added to the SiteMinder policies in order to allow the connector and proxy agent to communicate with the policy server. Login to the SiteMinder Administration GUI. agent group. s SiteMinder response is created for the Oracle AS user and associated with the protected resources. domain. Select Edit | Create Agent from the menu at the top of the GUI. This agent group is used to protect the Oracle AS resources. Select the OK Button. proxy agent and any standard SiteMinder web agents that protect the Oracle AS resources. Enter a shared secret for the agent. check the Support 4. response and policy for the Oracle AS protected resources. Select the Agents from the list in the Systems tab. Enter a name for the Agent. Name: smoracleiasssoagent Enter a description for the Agent. Installation and Configuration Guide . realms. rules. Description: Oracle Connector and Proxy Agent For a SiteMinder 5.

SiteMinder Web Agent. Select the Agent Groups from the list in the Systems tab. An example SiteMinder Agent Group for the Oracle AS Connector.UNIX Perform the following steps. Login to the SiteMinder Administration GUI. to add the agents to the group Select the OK Button Select the OK Button The agent group is used with all the Oracle AS protected resources. Proxy & HTTP Server Agent Select the Agent Type. Installation and Configuration Guide . The Oracle AS resources and any existing protected OracleAS resources will use this agent group. smoracleiasssoagent Select the ← Button. Name: smoracleiasagentgroup Enter a description for the Agent. This means that any SiteMinder realms that protect Oracle AS resources will need to use this agent group. Proxy Agent and the standard web agents for the Oracle HTTP Server is shown below. to add an agent group in the SiteMinder policies for the SiteMinder Oracle AS Connector. Select the Add/Remove… Button. Select the agent for the SiteMinder Oracle AS Connector and Proxy Agent. to add the agent to the group. Select Edit | Create Agent Group from the menu at the top of the GUI. Select the other standard web agents for the Oracle HTTP Server Agent. Enter a name for the Agent Group.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the ← Button. Description: Oracle Connector. 24 . Select the System tab. Proxy Agent and Standard SiteMinder Web Agents for the Oracle HTTP Server.

Select Edit | Create Domain from the menu at the top of the GUI. Select the OK Button. An example SiteMinder Policy Domain for Oracle AS is shown below.UNIX Configure a SiteMinder Policy Domain for the Oracle AS Connector and Proxy Agent Perform the following steps to add a policy domain in the SiteMinder policies for the Oracle AS environment. Description: Oracle AS Domain Select the User Directory for the Domain from the list of user directories. to add the user directory to the domain. Login to the SiteMinder Administration GUI. Name: Oracle AS Enter a description for the Agent. 25 .eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Installation and Configuration Guide . Select the System tab. Select the ← Add Button. Select the Domains from the list in the Systems tab. if one does not already exist. Enter a name for the Domain.

Login to the SiteMinder Administration GUI. Installation and Configuration Guide . Select the Default Resource Protection: Protected Select the OK Button. Select Edit | Create Realm from the menu at the top of the GUI. to add a realm in the SiteMinder policies for the Oracle AS environment. Description: Oracle AS Connector. Enter a name for the Realm.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the Domains tab. Proxy Agent & Standard Web Agents Realm Select the Agent: smoracleiasagentgroup Enter a Resource Filter: /pls/orasso Select the Authentication Scheme.UNIX Configure a SiteMinder Realm for the Oracle AS Connector and Proxy Agent Perform the following steps. Select the Oracle AS Domain from the Domains list in the Domains tab. Select the Realms from the entries. An example SiteMinder Realm that protects Oracle AS resources and uses the Oracle AS agent group is shown below. Select the plus character next to the Oracle AS Domain to expand its entries. Name: Oracle AS Realm Enter a description for the Realm. 26 .

An example SiteMinder Rule that controls access to the Oracle AS resources is shown below. to add a rule in the SiteMinder policies for the Oracle AS Realm. Name: Oracle AS Resource Access Enter a description for the Rule. Select the Domains tab. Installation and Configuration Guide . Enter a name for the Rule. Description: Oracle AS Connector. 27 . Select the plus character next to the OracleAS Domain to expand its entries.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Proxy Agent & Standard Web Agents Resource Access Select the Realm: Oracle AS Realm Enter a Resource: /* Select the Action: Web Agent Actions Select Actions: Get and Post Select When this Rule Fires: Allow Access Select Enable or Disable this Rule: Enabled Select the OK Button. Select Edit | Oracle AS Realm | Create Rule under Realm from the menu at the top of the GUI. Select the Oracle AS Realm from the entries. Select the Oracle AS Domain from the Domains list in the Domains tab. The resource filter entered in the realm combined with the resource entered in the rule is used for the resource entry in the Oracle AS connector and proxy agent configuration file Login to the SiteMinder Administration GUI.UNIX Configure a SiteMinder Rule for the Oracle AS Connector and Proxy Agent Perform the following steps. Select the plus character next to the Realms to expand its entries.

An example SiteMinder Realm that protects Oracle AS resources and uses the Oracle AS agent group is shown below. Login to the SiteMinder Administration GUI. Select the Default Resource Protection: Protected Select the OK Button. Select the Domains tab. Proxy Agent & Standard Web Agents Realm Select the Agent: smoracleiasagentgroup Enter a Resource Filter: /sso/ Select the Authentication Scheme. Select Edit | Create Realm from the menu at the top of the GUI. 28 . Enter a name for the Realm. Select the Oracle AS Domain from the Domains list in the Domains tab.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Description: Oracle AS Connector. Installation and Configuration Guide . Select the plus character next to the Oracle AS Domain to expand its entries.UNIX Configure another SiteMinder Realm for the Oracle AS Connector and Proxy Agent Perform the following steps. to add a realm in the SiteMinder policies for the Oracle AS environment. Name: Oracle SSO Realm Enter a description for the Realm. Select the Realms from the entries.

29 . Proxy Agent & Standard Web Agents Resource Access Select the Realm: Oracle SSO Enter a Resource: /* Select the Action: Web Agent Actions Select Actions: Get and Post Select When this Rule Fires: Allow Access Select Enable or Disable this Rule: Enabled Select the OK Button. Select the Oracle AS Realm from the entries. Select Edit | Oracle AS Realm | Create Rule under Realm from the menu at the top of the GUI. The resource filter entered in the realm combined with the resource entered in the rule is used for the resource entry in the Oracle AS connector and proxy agent configuration file Login to the SiteMinder Administration GUI. Enter a name for the Rule. Description: Oracle AS Connector. Select the plus character next to the OracleAS Domain to expand its entries.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the Oracle AS Domain from the Domains list in the Domains tab. to add a rule in the SiteMinder policies for the Oracle AS Realm.UNIX Configure another SiteMinder Rule for the Oracle AS Connector and Proxy Agent Perform the following steps. An example SiteMinder Rule that controls access to the Oracle AS resources is shown below. Select the plus character next to the Realms to expand its entries. Select the Domains tab. Installation and Configuration Guide . Name: Oracle SSO Access Enter a description for the Rule.

instead of authorization events. Login to the SiteMinder Administration GUI. This means that the response is added with the Oracle AS access rules for the Oracle AS Realm in the Oracle AS policy. Select the Domains tab. and not during authorization events.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the plus character next to the Oracle AS Domain to expand its entries. This means that the response is only received during authentication events. the response may be associated with only authentication events. 30 . Name: Oracle AS ID Enter a description for the Response. Enter a name for the Response. Installation and Configuration Guide . Select the Responses from the entries. This response identifies the Oracle user id associated with a SiteMinder session to the Oracle AS connector and proxy agent. Alternatively. Select the Oracle AS Domain from the Domains list in the Domains tab. refer to SiteMinder Policy Design Guide. Select Edit | Create Response from the menu at the top of the GUI.UNIX Configure a SiteMinder Response for the Oracle AS Connector and Proxy Agent A SiteMinder response is necessary for the for the Oracle user id. Perform the following steps. Then associate this response with the Oracle AS protected resources. to add a SiteMinder response for the Oracle user id. To configure the response for authentication events only for a SiteMinder Policy Server. Description: User ID for Oracle AS Users An example SiteMinder Response is shown below.

An example SiteMinder Response for the user id is shown below. This is the LDAP attribute name or database column name for the user id.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Installation and Configuration Guide . 31 . Select the Attribute: WebAgent-HTTP-Header-Variable Select the Attribute Kind: User Attribute Enter the Variable Name: oracleias_username Enter the Attribute Name. For example.UNIX Select the Create button. Select the OK Button. uid Select the OK Button.

To configure the response for authentication events only for a SiteMinder Policy Server. Name: Oracle AS Policy Enter a description for the Policy.UNIX Configure a SiteMinder Policy for the Oracle AS Connector and Proxy Agent Perform the following steps. and not during authorization events. This means that the response is only received during authentication events. Select Edit | Create Policy from the menu at the top of the GUI. An example SiteMinder Policy with the Users Tab selected is shown below. Alternatively. Description: Oracle AS Policy Select Enabled Select the Users Tab. This means that the response is associated with all Oracle AS resource rules for the Oracle AS realms in the policy. instead of authorization events. Select the Domains tab. Select the Oracle AS Domain from the Domains list in the Domains tab. the response may be associated with only authentication events. Login to the SiteMinder Administration GUI. to add a SiteMinder policy for the Oracle AS rules and response that controls access to the Oracle AS resources. 32 . refer to SiteMinder Policy Design Guide.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the plus character next to the Oracle AS Domain to expand its entries. Installation and Configuration Guide . Select the Add/Remove … button in the Users Tab. Select the Policies from the entries. Add the all the rules with response to the policy. Enter a name for the Policy. Add the users that can access the Oracle AS resources.

eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the OK button. Installation and Configuration Guide . Select the Rules Tab. 33 . An example SiteMinder Policy that grants all users access is shown below.UNIX An example SiteMinder Policy with all users selected is shown below.

34 .UNIX An example SiteMinder Policy with the Rules Tab selected is shown below. Installation and Configuration Guide . Select the ← Button. An example SiteMinder Policy with the rule selected is shown below. to add the rule to the policy. Select the Add/Remove Rules… button.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Select the OK button. Select the Oracle AS Resource Access rule.

Select the OK button.UNIX Select the Oracle AS Resource Access rule so that it is highlighted. An example SiteMinder Policy with the Rule and Response added is shown below. An example SiteMinder Set Response with the response highlighted is shown below.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. 35 . Select the OK button. Select the Set Response… button. Select the Oracle AS ID response so that it is highlighted. An example SiteMinder Policy that grants all users’ access to the Oracle AS resources is shown below. Also the rule is selected and highlighted. Installation and Configuration Guide .

e. Installation and Configuration Guide .conf <?xml version="1. Both use the same configuration file.1" accounting="44441" authentication="44442" authorization="44443"/> <enablefailover value="NO"/> <maxsocketsperport value="20"/> <minsocketsperport value="2"/> <newsocketstep value="2"/> <pspollinterval value="30"/> <agentpollinterval value="30" /> <requesttimeout value="60000"/> <loglevel value="63"/> <logfile value="YES"/> <logappend value="NO"/> <logfilename value="$ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent.0" encoding="UTF-8"?> <agent> <defaultagentname value="smoracleiasssoagent"/> <policyserver host="123.123.13.UNIX Add all the Oracle AS rules with the response to the policy An example SiteMinder Policy with the more rules and the response added is shown below. Use the following steps.log "/> <resource value="/pls/orasso/orasso. Replace $ORACLE_HOME with $SM_HOME $ vi $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent. Configure the Oracle AS Connector and Proxy Agent The Oracle AS Connector and Proxy Agent are configured for the SiteMinder environment.conf Note: If the installation directory is different than the ORACLE_HOME directory.home"/> <action value="get"/> <license value=""/> <sharedsecret value=”[NDSEnc-B]qPJraa+A2x09xej1jOxRLcO0gOM516ob"/> </agent> 36 . Modifying the entries in the agent configuration file will configure the SiteMinder Oracle AS Connector and Proxy Agent for the environment.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. to configure the Oracle AS Connector and Proxy Agent. Login to the Oracle AS system as the Oracle AS user Edit the configuration file $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent. then edit the configuration file in the $SM_HOME directory. i.

In this mode every request is delivered to the first policy server. Set the defaultagentname entry with the agent name for your environment.1" accounting="44441" authentication="44442" authorization="44443"/> <policyserver host="123. place each policy server entry on a separate line. set the enablefailover entry to YES.13. Installation and Configuration Guide . set the enablefailover entry to NO.13. The requests are distributed across multiple policy servers. The fail over mode provides high reliability.3" accounting="44441" authentication="44442" authorization="44443"/> Edit the enablefailover entry. To enable fail over. A hostname can be used for the host attribute. if fail over between multiple policy servers is desired The enablefailover entry determines how the connector and proxy agent communicate with multiple policy servers. Edit the policyserver entry with the policy servers in your environment The policyserver entry specifies one or more policy servers that the connector and proxy agent will use to validate sessions. If the first policy server does not respond. It determines whether the proxy agent will communicate with the policy servers in load balance mode or fail over mode. the request is serviced by the other policy server. the request load is balanced across multiple policy servers.13.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. It is the same agent name that was entered in the agent properties when the agent entry for the SiteMinder Oracle AS connector and proxy agent was created in the SiteMinder policies.UNIX Edit the defaultagentname entry with the agent name for the connector and proxy agent The defaultagentname entry specifies the agent name of the connector and proxy agent that is defined in the policy server.123.13. Set the policyserver entry with the policy servers for your environment. The policyserver entry must contain the following attributes: • • • • Policy Server IP Address Accounting Service Port Number Authentication Service Port Number Authorization Service Port Number Policy Server Definition Accounting port | | Hostname or IP address Authorization port | | Authentication port <policyserver host="123.1" accounting="44441" authentication="44442" authorization="44443"/> To add more than one policy server. To enable load balancing. The load balance mode provides high reliability and performance.123.123. but an IP address is recommended. For example: <policyserver host="123. 37 . the request is delivered to the next policy server. If a policy server fails and there is another policy server. Thus.123.2" accounting="44441" authentication="44442" authorization="44443"/> <policyserver host="123.

if more or less frequent polling with the policy server is required The pspollinterval entry determines how often the connector and proxy agent retrieve information about policy changes from the policy server. accounting. The polling is set in seconds. if a smaller or larger request timeout is required The requesttimeout entry indicates the number of milliseconds that the connector and proxy agent will wait before deciding that a policy server is unavailable. for the connector and proxy agent to not record messages to a log file. Edit the logfile entry. Edit the logappend entry. Edit the requesttimeout entry. Edit the minsocketsperport entry. Edit the pspollinterval entry. By default this value is set to 2. accounting. authentication and authorization when new connections are required. if appending to the same log file is required The logappend entry indicates whether or not logging information is added to the existing file or a new file whenever the proxy agent is restarted. Set the logfile entry to NO. authentication and authorization at startup. if logging information to the log file is added to an existing log file whenever the proxy agent is started. if more or less new sockets per policy server are required The newsocketstep entry specifies the number of TCP/IP connections the connector and proxy agent open to each policy server service. The polling is set in seconds. By default this value is set to 20. Installation and Configuration Guide . accounting. Edit the newsocketstep entry. Set the logfile entry to YES.UNIX Edit the maxsocketsperport entry. if more or less frequent polling for changes in the agent configuration is required The agentpollinterval entry determines how often the connector and proxy agent poll the agent configuration file for any changes. if more or less sockets per policy server are required The maxsocketsperport entry defines the maximum number of TCP/IP connections the connector and proxy agent use to communicate with each policy server service. 38 . which is sufficient for low and medium traffic. Edit the agentpollinterval entry. if more or less sockets per policy server are required The minsocketsperport entry defines number of TCP/IP connections the connector and proxy agent open to each policy server service. By default this value is set to 2. authentication and authorization.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. if the Oracle AS connector and proxy agent logging are not required The logfile entry indicates whether or not the connector and proxy agent record messages to a log file. for the connector and proxy agent to record messages to a log file. Set the logappend entry to YES. Set the logappend entry to NO. if logging information to added to a new log file every time the proxy agent is started.

if a different log filename is required The logfilename entry indicates the name of the log file. The log file is specified with its full directory path and filename. Edit the loglevel entry. Edit the action entry and set it with the protected HTTP action associated with the protected Oracle AS resource identified by the resource entry The action entry indicates the protected HTTP action associated with Oracle AS resource identified by the resource entry.UNIX Edit the logfilename entry. 39 . The table below lists the different log levels with their corresponding indicator in the log file and type of message. if a different logging level is required The loglevel entry controls the level of the messages recorded in the connector and proxy agent log files. Log Level Type Of Messages Indicator in the Log File 1 Critical Error Messages F 2 Configuration Error Messages C 4 Error Messages E 8 Warning Messages W 16 Informational Messages I 32 Debug Messages D The following lines show examples of a log message in the log file with its message indicators included in the message. How the loglevel entry is set controls which messages are recorded on the log files.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Its value is set with a protected Oracle AS resource. Installation and Configuration Guide . [04-Nov-2002:19:21:55-0500][0000000001-I] Process Login Request Success | log level indicates an informational message [04-Nov-2002:19:21:55-0500][0000000001-E] Process Login Request Failure | log level indicates an error Edit the resource entry and set it with a protected Oracle AS resource The resource entry identifies a protected Oracle AS resource. Each message has a log level associated with it. Its value is usually GET or POST.

Installation and Configuration Guide . It is the same shared secret that was entered in the agent properties for the SiteMinder Oracle AS connector and proxy agent when the agent entry was created in the SiteMinder policies.1 . Also make sure the license entry value is enclosed between double quotes. An example entry is shown below.NPSEncrypt Revision 1] [NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY Set the sharedsecret entry with [NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY <sharedsecret value=”[NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY "/> Save the changes to the configuration file 40 . For example: Login to the Oracle AS system as the Oracle AS user Run the NPSEncrypt tool to encrypt a clear text shared secret The clear text shared secret value is firewall The encrypted shared secret value is [NDSEnc-C]oVEG5j9PR3vRjPB9tavJPlu6AHdw9AuY Note: If the installation directory is different than the ORACLE_HOME directory. If the license entry is left empty. the connector will stop working. It is also important to note that with an evaluation license the connector must use the proxy agent to service SiteMinder session validation requests and the connector cannot communicate directly with the policy server.UNIX Edit the license entry and set it with your SiteMinder Oracle AS Connector license The license entry identifies the license for SiteMinder Oracle AS license. then run the NPSEncrypt tool in the $SM_HOME directory. – Replace $ORACLE_HOME with $SM_HOME $ORACLE_HOME/siteminder/oracle10g/bin/NPSEncrypt firewall [NPSEncrypt Version 1. The license entry is contained on a single line. It takes one parameter a clear text shared secret and outputs an encrypted shared secret. Edit the sharedsecret entry and set it with the encrypted shared secret for the agent The sharedsecret entry identifies the encrypted shared secret for the agent. After the two hours expire. Although the entry may display on more than one line in the editor. An evaluation license will only work for two hours. Stopping and starting the proxy agent will reset the evaluation license. <license value="[NDSEncC]DbYUjklsoenMua9af3EFkfjjfoG4BlLcJ8tWLnnYTPXxkKYko/Bs+6iszjsKJICrRQoMoQuo0vlRvgw/ LWVKqdVPQqrr7DeOvziWsK0LDqFcOhLjfFWmUybougPlqB6bTtG1np5faAI+pDgh2hEHOOnxLdjsveu79mhdekuHvjZiN4JHN 2lSfODcNqw9vaZ4f8ENRl0="/> Set the license entry with your license if you have received it. Use the NPSEncrypt tool to encrypt the clear text shared secret and set the sharedsecret entry with the encrypted shared secret returned from the NSPEncrypt tool.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. then by default the license is set with a SiteMinder Oracle AS Connector evaluation license. The NPSEncrypt tool runs from the command line. the connector will not fail over to communicate directly with the policy server whenever the proxy agent is unavailable. Thus when an evaluation license is used. Make sure there are no carriage returns in the entry. make sure there are no carriage returns in the entry.

netegrity. then edit the PL/SQL module file. you can choose to add DADs manually to this file.conf ########################################################################### # mod_plsql DAD Configuration File ########################################################################### # Note: This file should typically be included in your plsql.WE8MSWIN1252 </Location> 41 .conf file # Depending on the type of install being done. Portal # Login Server # After the install is done.conf Note: If the installation directory is different than the ORACLE_HOME directory.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.wwdoc_process. i. Please refer to # dads. # Or.com:1521:iasdb1 PlsqlDefaultPage orasso.g. HTTP_SM_USER HTTP_SM_SERVERSESSIONID HTTP_SM_SERVERSESSIONSPEC HTTP_ORACLEIAS_USERNAME Login to the Oracle AS system as the Oracle AS user Edit the configuration file $ORACLE_HOME/Apache/modplsql/conf/dads. the installer will # automatically configure DADs for components being installed # e.allow Allow from All AllowOverride None PlsqlDatabaseUsername orasso PlsqlDatabasePassword !SjI0RXhmRE0= PlsqlDatabaseConnectString nikko.process_download PlsqlAuthenticationMode SingleSignOn PlsqlPathAlias url PlsqlPathAliasProcedure orasso. Use the following steps.wwpth_api_alias.UNIX Configure the Oracle HTTP Server for the PL/SQL Authentication Package The Oracle HTTP Server PL/SQL module configuration file is configured to pass the necessary header variables from the web server to PL/SQL packages. replace $ORACLE_HOME with $SM_HOME. $ vi $ORACLE_HOME/Apache/modplsql/conf/dads.e. Installation and Configuration Guide .domain:1810.home PlsqlDocumentTablename orasso. This configuration is only necessary if the Oracle PL/SQL Authentication Package is used with the connector. In other words this configuration is only necessary if the installation option 1: Connector with the Oracle PL/SQL Authentication Package is used.wwdoc_document PlsqlDocumentPath docs PlsqlDocumentProcedure orasso.conf in the $SM_HOME directory. dads. to configure the Oracle HTTP Server PL/SQL module configuration file to pass the following header variables to PL/SQL packages.README file in this directory to see how some typical DADs are configured # This is a typical Login Server instance DAD <Location /pls/orasso> SetHandler pls_handler Order deny. you can configure more DAD's through the # OEM Configuration Tool which is typically running on http://host.process_download PlsqlSessionCookieName orasso PlsqlNLSLanguage AMERICAN_AMERICA.

netegrity.home PlsqlDocumentTablename orasso. # Or. you can configure more DAD's through the # OEM Configuration Tool which is typically running on http://host. you can choose to add DADs manually to this file. just above the line </Location> in the dads.wwdoc_process.g.UNIX Add the following lines.allow Allow from All AllowOverride None PlsqlDatabaseUsername orasso PlsqlDatabasePassword !SjI0RXhmRE0= PlsqlDatabaseConnectString nikko. Portal # Login Server # After the install is done.conf file # Depending on the type of install being done. the installer will # automatically configure DADs for components being installed # e.wwdoc_document PlsqlDocumentPath docs PlsqlDocumentProcedure orasso.domain:1810.com:1521:iasdb1 PlsqlDefaultPage orasso.README file in this directory to see how some typical DADs are configured # This is a typical Login Server instance DAD <Location /pls/orasso> SetHandler pls_handler Order deny.process_download PlsqlSessionCookieName orasso PlsqlNLSLanguage AMERICAN_AMERICA.wwpth_api_alias.process_download PlsqlAuthenticationMode SingleSignOn PlsqlPathAlias url PlsqlPathAliasProcedure orasso. Installation and Configuration Guide .WE8MSWIN1252 PlsqlCGIEnvironmentList HTTP_SM_USER PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONID PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONSPEC PlsqlCGIEnvironmentList HTTP_ORACLEIAS_USERNAME </Location> Save the changes to the configuration file 42 . Please refer to # dads.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.conf file PlsqlCGIEnvironmentList HTTP_SM_USER PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONID PlsqlCGIEnvironmentList HTTP_SM_SERVERSESSIONSPEC PlsqlCGIEnvironmentList HTTP_ORACLEIAS_USERNAME For example: ########################################################################### # mod_plsql DAD Configuration File ########################################################################### # Note: This file should typically be included in your plsql.

then start the proxy agent in the $SM_HOME directory. 43 . $ORACLE_HOME/siteminder/oracle10g//conf/smoracleiasagent.err 63 Make sure the command is on a single line. The first parameter to the startup command.e.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. the proxy agent is started up and it runs as a daemon process. $ $ORACLE_HOME/siteminder/oracle10g/bin/smoraclessoproxy $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent. replace $ORACLE_HOME with $SM_HOME. Use these steps to start the Proxy Agent. Login to the Oracle AS system as the Oracle AS user Set the file descriptors to 1024 The proxy agent daemon process will need at least 1024 file descriptors.conf $ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent. Installation and Configuration Guide . $ ulimit –n 1024 Set the library path with the connector library path HPUX Systems: $ SHLIB_PATH=$ORACLE_HOME/siteminder/oracle10g/lib:$SHLIB_PATH $ export SHLIB_PATH Other UNIX Systems: $ LD_LIBRARY_PATH=$ORACLE_HOME/siteminder/oracle10g/lib:$LD_LIBRAY_PATH $ export LD_LIBRARY_PATH Start the SiteMinder Oracle AS Proxy Agent with this command Note: If the installation directory is different than the ORACLE_HOME directory. $ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent.conf is the connector and proxy agent configuration file. The second parameter to the startup command.UNIX SiteMinder Oracle AS Connector Proxy Agent Startup After the SiteMinder OracleAS Connector and Proxy Agent are installed and configured. before the proxy agent is started.err is the proxy agent error log file. Use the following UNIX command to set the file descriptors to 1024. i.

[04-Nov-2002:19:21:55-0500][0000000001-I] Process Login Request Success | log level indicates an informational message [04-Nov-2002:19:21:55-0500][0000000001-E] Process Login Request Failure | log level indicates an error Set the log level parameter with the sum of log levels associated with each message type that you choose to record in the log file. 63. $ ulimit -n To increase file descriptors for the process: Use the Unix Command. If you choose to record all types of messages in the log file. The message below is displayed when the SiteMinder Oracle AS Proxy Agent starts up successfully. The table below lists the different log levels with their corresponding indicator in the log file and type of message. $ ulimit -n 1024 After increasing the file descriptors.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. $ kill -9 24535 Check File. For example. Installation and Configuration Guide . $ kill 24535 Never Use the Unix Command. Stop and Start the Siteminder Oracle iAS Agent Proxy for the file descriptor increase to take effect To Stop the Siteminder Oracle iAS Agent Proxy: Use the Unix Command. if you chose to record critical error messages and informational messages.err for status 44 . Siteminder Oracle iAS Agent Proxy Console File Descriptor Setting: 64 Max File Descriptor Setting: 1024 Siteminder Oracle iAS Agent Proxy Setup Siteminder Oracle iAS Agent Proxy Startup Siteminder Oracle iAS Agent Proxy Launched Make sure the process has enough file descriptors At least 1024 file descriptors are recommended To show the file descriptors for the process: Use the Unix Command. then set the log level parameter to the sum of all the log levels for all the messages types. 63 is the connector and proxy agent error log level. $ORACLE_HOME/siteminder/oracle10g/logs/smoracleiasagent. Log Level 1 2 4 8 16 32 Type Of Messages Critical Error Messages Configuration Error Messages Error Messages Warning Messages Informational Messages Debug Messages Indicator in the Log File F C E W I D The following lines show examples of a log message in the log file with its message indicators included in the message. then set the log level parameter to the sum of 1 and 16.UNIX The third parameter to the startup command.

pid for Process ID Alternatively. $ kill process id Never the Unix Command.conf. to obtain the Process ID.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. $ kill -9 process id 45 . $ ps -ef | grep smoraclessoproxy To Stop the Siteminder Oracle iAS Agent Proxy: Use the Unix Command. smoracleiasagent.UNIX This message is displayed when the Proxy Agent fails to start because it is already running. Use the Unix Command. File Descriptor Setting: 1024 Max File Descriptor Setting: 1024 Siteminder Oracle iAS Agent Proxy Failed to Start Siteminder Oracle iAS Agent Proxy. Already Running Check Pid File. Installation and Configuration Guide .

The overall setting in the Advanced tab will then look like: <@lib="npssessionlinker" func="Config" param="COOKIE0=SSO_ID. the SiteMinder session is no longer valid.netegrity. It will link the SiteMinder session with the Oracle AS sessions. This cookie name should be configured as COOKIE1. NPS Session Linker Installation and Administration Guide. you will need to install and configure the NPS Session Linker.netegrity. a typical setting of the Response in the SiteMinder Policy Server that is required to configure the Session Linker for Oracle AS is provided below: The response needs to be configured as a SiteMinder Response through the SiteMinder Policy Server Admin GUI.com and the port is 7777. Two cookie names need to be configured. Installation and Configuration Guide . The first one is “SSO_ID” and should be configured as COOKIE0.COOKIE1=OHS-xyz. To install and configure the NPS Session Linker.eTrust™ SiteMinder Connector for Oracle Solutions Architecture. Thus when a user logs out of an Oracle AS application. The NPS Session Linker provides single sign-off.netegrity. The user is logged out of all the Oracle AS applications and SiteMinder.com7777"@> An example SiteMinder Response for the Session Linker is shown below. For example if the web server where the web agent is installed is named as xyz. refer to the document. The second cookie name will depend on the web server name and port. This response is an active expression that should be entered via the Advanced tab of the SiteMinder Response Attribute Editor panel.com7777”. then a cookie will be generated as “OHS-xyz. For an example.UNIX Post Installation After the SiteMinder Oracle AS Connector and Proxy Agent (if required) installation and configuration are completed. 46 .

47 . wwsso_auth_external is implemented by the PL/SQL file named. in order for the changes to occur. The information in these files is used to troubleshoot problems. 63. the ORASSO database.e. This file is in the Oracle AS SSO Plug-in Directory. For the OC4J Security Authentication Interface Set the error filename. turn on the connector logging and set the log level to the highest level. View both log files for errors. log filename and log level in the properties file named. $ORACLE_HOME/sso/plugin/netegrity/security/ssoplugin Whenever changes are made to file. “Install the PL/SQL Package. log filename and log level in the implementation of the PL/SQL package. wwsso_auth_external. Installation and Configuration Guide .eTrust™ SiteMinder Connector for Oracle Solutions Architecture. i. For the Oracle PL/SQL Authentication Package Set the error filename. $ORACLE_HOME/siteminder/oracle10g/plsql/ssoxneteconnector.properties.sql View both log files for errors. To troubleshoot problems. wwsso_auth_external in the Oracle Single Sign-on Database”. To install the PL/SQL package in the database refer to the section. it is necessary to install it again in the Oracle Single Sign-on database. It also logs session validation processing information to a log file. the OC4J Security is stopped and started. The PL/SQL package. NeteSSO. Whenever changes are made to the PL/SQL package.UNIX Troubleshooting SiteMinder Oracle AS Connector Logging The SiteMinder Oracle AS Connector can log helpful information to two separate files whenever it executes. It logs start up and policy server polling information in an error file whenever the proxy agent is unavailable and the connector communicates directly with the policy server to validate SiteMinder sessions.

It logs start up and polling information to an error file and it will log session validation processing information to a log file. “Configure the Oracle AS Connector and Proxy Agent”. To obtain help from the CA Solution Engineering Team. To start up the proxy agent with the error filename and log level. The proxy agent configuration file is an XML text file named.netegrity. To troubleshoot problems.UNIX SiteMinder Oracle AS Proxy Agent Logging The SiteMinder Oracle AS Proxy Agent can log helpful information to two separate files. 48 . The information in these files is used to troubleshoot problems.com to open the case or use the CA Netegrity Technical Support phone number to open the case. “SiteMinder Oracle AS Connector Proxy Agent Startup”. https://support. Set the log filename and log level in the connector and proxy agent configuration file. 63. Make sure you upload the following files to the case: SiteMinder Oracle AS connector error and log files SiteMinder Oracle AS proxy agent error and log files SiteMinder Oracle AS connector and proxy agent configuration file SiteMinder Policy Server authentication and authorization log files. open a case with the CA Netegrity Technical Support. open a case describing the problem with CA Netegrity Technical Support. Use the CA Netegrity Technical Support Site URL. To set the log filename and log level in the configuration file refer to the section. Set the error filename and log level parameters in the proxy agent start up command. $ORACLE_HOME/siteminder/oracle10g/conf/smoracleiasagent. SiteMinder Policy Store export file. turn on the proxy agent logging and set the log level to the highest level. refer to the section. To troubleshoot problems. SiteMinder Technical Support The CA Solution Engineering Team can help troubleshoot problems for this connector.eTrust™ SiteMinder Connector for Oracle Solutions Architecture.conf View both log files for errors. Installation and Configuration Guide .