Oracle® Transportation Management - Oracle Logisticsotm60avrtdev.mavenwire.com/docs/integration/oam_integration.pdf · Oracle Transportation Management web server, adding, modifying,

Oracle® Transportation Management

OAM Integration Guide

Release 6.3

Part No. E38430-04

January 2014

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. iii

Oracle Transportation Management OAM Integration Guide, Release 6.3

Part No. E38430-04

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.

This software and related documentation are provided under a license agreement containing

restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for interoperability, is prohibited.

The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing.

If this is software or related documentation that is delivered to the U.S. Government or anyone licensing it on behalf of the U.S. Government, the following notice is applicable:

U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, delivered to U.S. Government end users are "commercial computer software" pursuant to the applicable Federal Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication,

disclosure, modification, and adaptation of the programs, including any operating system, integrated software, any programs installed on the hardware, and/or documentation, shall be subject to license terms and license restrictions applicable to the programs. No other rights are granted to the U.S. Government.

This software or hardware is developed for general use in a variety of information management applications. It is not developed or intended for use in any inherently dangerous applications, including applications that may create a risk of personal injury. If you use this software or hardware in

dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup, redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim any liability for any damages caused by use of this software or hardware in dangerous applications.

Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be

trademarks of their respective owners.

Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC trademarks are used under license and are trademarks or registered trademarks of SPARC

International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.

This software or hardware and documentation may provide access to or information on content, products, and services from third parties. Oracle Corporation and its affiliates are not responsible for and expressly disclaim all warranties of any kind with respect to third-party content, products, and services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages

incurred due to your access to or use of third-party content, products, or services.

For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.

Access to Oracle Support

Oracle customers have access to electronic support through My Oracle Support. For information, visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. iv

Contents

CONTENTS ................................................................................................. IV

SEND US YOUR COMMENTS ......................................................................... V

PREFACE ................................................................................................... VI

CHANGE HISTORY .................................................................................................... VI

1. GENERAL ARCHITECTURE .................................................................. 1-7

USER SYNCHRONIZATION ........................................................................................ 1-7

SHARED ATTRIBUTES ............................................................................................................. 1-7 OAM TO ORACLE TRANSPORTATION MANAGEMENT ........................................................................... 1-8 ORACLE TRANSPORTATION MANAGEMENT TO OAM ......................................................................... 1-11

SINGLE SIGN-ON ................................................................................................. 1-11

2. INTEGRATION SETUP ........................................................................ 2-1

ACTIVE DIRECTORY MODIFICATIONS ......................................................................... 2-1 OAM IDENTITY SYSTEM MODIFICATIONS ................................................................... 2-4

ADDING THE ORACLE TRANSPORTATION MANAGEMENT USER CLASS TO THE IDENTITY SERVER ......................... 2-4 ADDING ORACLE TRANSPORTATION MANAGEMENT USER INFORMATION TO USER MANAGER DISPLAYS ................. 2-4 MAKING ORACLE TRANSPORTATION MANAGEMENT USER INFORMATION SEARCHABLE .................................... 2-4 ADDING ORACLE TRANSPORTATION MANAGEMENT USER INFORMATION TO SEARCH RESULTS ........................... 2-5 SETTING ACCESS CONTROL ON ORACLE TRANSPORTATION MANAGEMENT ATTRIBUTES ................................... 2-5 ADDING WORKFLOWS ............................................................................................................ 2-6

ORACLE TRANSPORTATION MANAGEMENT PROPERTY MODIFICATIONS ............................. 2-13

3. SINGLE SIGN-ON SETUP .................................................................... 3-1

OAM ACCESS SYSTEM MODIFICATIONS ...................................................................... 3-1 OAM WEB SERVER MODIFICATIONS .......................................................................... 3-2 ORACLE TRANSPORTATION MANAGEMENT PROPERTY MODIFICATIONS ............................... 3-2 CONFIGURE FTI/GTI WITH OAM (SSO) ................................................................... 3-2

CURRENT SECURITY MECHANISM ................................................................................................ 3-2 PREREQUISITES TO USE SINGLE SIGN-ON (SSO) FOR FTI/GTI ............................................................. 3-2 CONFIGURATION PROCESS ....................................................................................................... 3-2

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. v

Send Us Your Comments

Oracle Transportation Management OAM Integration Guide, Release 6.3

Part No. E38430-04

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication. Your input is an important part of the information used for revision.

Did you find any errors?

Is the information clearly presented?

Do you need more information? If so, where?

Are the examples correct? Do you need more examples?

What features did you like most about this manual?

If you find any errors or have any other suggestions for improvement, please indicate the title and part number of the documentation and the chapter, section, and page number (if available). You can send comments to us in the following ways:

Electronic mail: [email protected]

If you would like a reply, please give your name, address, telephone number, and electronic mail

address (optional).

If you have problems with the software, contact Support at https://support.oracle.com or find the Support phone number for your region at http://www.oracle.com/support/contact.html.

mailto:[email protected]

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. vi

Preface

This document provides guidelines for integrating Oracle Access Manager (OAM) with Oracle Transportation Management (OTM). It includes an architectural overview as well as step-by-step

instructions to configure both products for interoperability. System architects should use this document to design a common security layer that incorporates Oracle Transportation Management. System integrators should use this document to implement communication between the products. This connection ensures security data is synchronized between the two products.

Change History

Date Document Revision Summary of Changes

12/2012 -01 Initial release.

2/2013 -02 Added new section on Configuring FTI with OAM (SSO) Bug 16317373

8/2013 -03 Updates for OAM and WebGate for Single Signon

12/2013 -04 Reworked section on Configuring FTI with OAM to include new product GTI. Section is now titled “Configuring FTI/GTI with OAM

(SSO).

https://bug.oraclecorp.com/pls/bug/webbug_edit.edit_info_top?report_title=-%20Bugs%20Assigned%20to%20JPOINDEX&rptno=16317373&query_id=941400&rptno_count=6&pos=3#_blank

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-7

1. General Architecture

An OAM/Oracle Transportation Management integration environment consists of three distinct subsystems:

A secure intranet running Oracle Transportation Management web and application servers. Each web server runs Oracle HTTP Server fronting a Tomcat servlet engine. The application

servers run on WebLogic. HTTP requests are accepted on port 8080.

One or more OAM web servers running Web Pass, Policy Manager and Web Gate. While OAM

supports a number of web server platforms, Oracle Transportation Management is certified

against the Oracle HTTP Server. HTTP requests are accepted on port 80.

An OAM server zone. This consists of one or more Identity and Access servers backed by an

Oracle Internet Directory (OID) active directory.

To manage enterprise users, an administrator accesses an OAM web server to add, update, and remove user information from the OAM Identity Server. To implement single sign-on, OTM's OHS

server has a WebGate installed that communicates with OAM for authenticating, and authorizing enterprise users.

User Synchronization

Shared Attributes

An auxiliary object class (otmUser) in the active directory defines attributes shared by Oracle

Transportation Management and OAM. These attributes include:

The Oracle Transportation Management user ID. This links an OAM enterprise user to a specific Oracle Transportation Management user. Two mapping models can be used. In the one-to-one

model, an OAM user may map to at most one Oracle Transportation Management user. This

provides an OAM manager full control over Oracle Transportation Management attributes

without inadvertently affecting other users. Conversely, the many-to-one model supports a

user mapping many OAM users map to a single Oracle Transportation Management user. In an

environment with tens of thousands of users, this improves Oracle Transportation

Management scalability at the cost of reduced control.

The Oracle Transportation Management user role. This is the default user role GID for the

Oracle Transportation Management user.

The Oracle Transportation Management user preferences. If specified, a User Preferences

access record is added to Oracle Transportation Management, specifying a user preference

override for this user.

The Oracle Transportation Management user menus. If specified, a User Menu access record is

added to Oracle Transportation Management, specifying one or more user menu layout

overrides for this user.

The Oracle Transportation Management nickname. An alternate login for Oracle Transportation

Management intranet users.

The Oracle Transportation Management user password. If single sign-on is not used or intranet

users are supported, OAM managers can control the Oracle Transportation Management

password. If left blank, the Oracle Transportation Management password is set to a default.

Changes to these attributes made in OAM are reflected in the Oracle Transportation Management schema and user management pages. Changes to these attributes made in Oracle Transportation Management are reflected in the OAM user panels.


OAM to Oracle Transportation Management

Changes made to Oracle Transportation Management attributes in OAM are validated and forward to Oracle Transportation Management. This is done through four custom event handlers:

1. An external action in the Create OTM User workflow. This action validates Oracle

Transportation Management user information via an Oracle Transportation Management

servlet. If validation succeeds, the action sends a User XML integration message to the Oracle Transportation Management web server, adding or modifying the corresponding Oracle

Transportation Management user. This workflow should be available to all OAM users with

rights to add Oracle Transportation Management users. When such a user selects Create User Identity from the User Manager, they can opt to create a basic user or to create an

Oracle Transportation Management user. The Oracle Transportation Management user flow

triggers the Create OTM User workflow.

2. An external action in the Modify OTM User workflow. This action validates Oracle Transportation Management user information via an Oracle Transportation Management web

server servlet. If validation succeeds, the action sends a User XML integration message to the

Oracle Transportation Management web server, adding, modifying, or deleting the corresponding Oracle Transportation Management user.1 This workflow should be available to

all managers. When a manager tries to modify an OAM user, the Oracle Transportation

Management attributes are only accessible via a Request to Remove or Request to Modify button on the Oracle Transportation Management user GID. These buttons trigger the Modify

OTM User workflow.

3. An external action in the Delete OTM User workflow. This action sends a User XML integration

message to the Oracle Transportation Management web server, removing the corresponding Oracle Transportation Management user. If the Identity Server is configured with the many-to-

one user model, this action is ignored.

4. An on-change handler for the inetOrgPerson object class. An administrator (e.g. orcladmin)

may modify Oracle Transportation Management attributes directly without triggering the Modify OTM User workflow. Any changes to Oracle Transportation Management attributes are

still validated against an Oracle Transportation Management servlet and User XML is sent to

Oracle Transportation Management.

Any validation or communication errors are embedded into the OAM event or Presentation XML and displayed to the OAM user. If the errors occurred within the Create, Modify, or Delete workflow, the workflow is aborted: OAM user changes are not committed. If an error occurs during the on change handler for inetOrgPerson, OAM user changes are committed. As this can lead to inconsistencies

between OAM and Oracle Transportation Management user information, when possible avoid modifying Oracle Transportation Management attributes as an administrator.

Oracle Transportation Management provides three executable jar files to implement event handlers: OnOTMUserAdd.jar, OnOTMUserChange.jar and OnOTMUserDelete.jar. The OnOTMUserChange.jar is

used for both the Modify External action and for On Change Events to inetOrgPerson. These handlers

are written in Java and run in a separate process space from the Identity Server.

Validation

The following are current validation checks performed by Oracle Transportation Management:

1 If the OTM User GID is cleared in OTM, and the Identity Server supports a one-to-one user

model, the corresponding OTM user is deleted.


Reserved Users. Oracle Transportation Management ADMIN and DEFAULT users are reserved.

OAM cannot associate a user with an Oracle Transportation Management reserved user. If you want an OAM user to login as an Oracle Transportation Management reserved user, leave their

Oracle Transportation Management User GID blank. When accessing Oracle Transportation

Management, they will be prompted to enter an Oracle Transportation Management user and

password and can directly login as a reserved user.

One-to-one User Model. If the Identity Server is using the one-to-one user model, an Oracle

Transportation Management User GID can be referenced by at most one OAM user. The one-

to-one model is specified in the oblixpppcatalog.lst configuration file on the Identity

Server.

Valid Domain. When specifying a new Oracle Transportation Management User GID, the

domain name must be a valid domain from the Oracle Transportation Management DOMAIN

table.

Old Password. When modifying an Oracle Transportation Management password for an existing Oracle Transportation Management user, the previous password stored in OAM must

match the password stored in Oracle Transportation Management. This is necessary to meet

the credential requirements for User XML.

Nickname. Each Oracle Transportation Management Nickname must be unique across all

Oracle Transportation Management users.

User Role. The user role must match a USER_ROLE_GID from the Oracle Transportation

Management USER_ROLE table.

User Preferences. The user preferences must match a USER_PREFERENCE_GID from the

Oracle Transportation Management USER_PREFERENCE table.

User Menus. Each user menu must match a USER_MENU_LAYOUT_GID from the Oracle

Transportation Management USER_MENU_LAYOUT table.

It’s possible for validation to succeed but for Oracle Transportation Management to encounter errors processing the User XML. E.g., the Oracle Transportation Management user specified in

oblixpppcatalog.lst may only have rights to add users for a particular Oracle Transportation

Management domain. If the OAM administrator tries to associate an OAM user with an Oracle

Transportation Management user outside that domain, the resulting VPD error is not caught until the User XML is processed. This occurs asynchronously, independently of the OAM workflow. To catch these errors, you can configure OAM to send out Oracle Transportation Management transaction report error emails to a monitoring mailbox (the Linking Oracle Transportation Management External Actions section). Any errors received in this mailbox require manual synchronization of the OAM and Oracle Transportation Management users.

User XML

User XML integration messages are an Oracle Transportation Management 6.0 extension to the Oracle

Transportation Management integration layer. The schema for the new GLogElement is:



OAM integration leverages the GlUserGid, TransactionCode, Nickname, UserPassword, UserRoleGid,

UserPreferenceGid, UserMenuLayoutGid, and IsFromOAM elements. The IsFromOAM ensures that

updates from OAM to Oracle Transportation Management don’t trigger any updates back to OAM.

The event handlers only forward fields that have changed. For workflow events, the handler retrieves previous values by querying the OAM web server with Identity XML2. It then compares these against the new values supplied by the workflow and constructs an appropriate User XML.

Access Requirements

Event handlers running on the Identity Server must have HTTP access to both the OAM Web Pass web server and the Oracle Transportation Management integration web server.

Oracle Transportation Management to OAM

Oracle Transportation Management users can change user attributes via integration (i.e. User XML) or

from the following Oracle Transportation Management pages:

User Manager, including the Remove User, Update Nickname, Update Password, and Update

User Role actions.

Manage User Access with the User Preference access type. This corresponds to the OAM otmUserPreferences attribute when the User Access User ID is specific to the Oracle

Transportation Management user.

Manage User Access with the User Menu access type. This corresponds to the OAM

otmUserMenus attribute when the User Access User ID is specific to the Oracle Transportation

Management user.

Change Password

When a user change is detected, Oracle Transportation Management interacts with an OAM Web Pass web server to:

Identify all distinguished names whose otmUserGid matches the modified user.

For modified or removed user fields, update the attribute on all matching OAM users.

For removed users, clear the otmUserGid field on all matching OAM users.

If the OAM server is not available, the Oracle Transportation Management action throws an

exception and user changes are not committed.

Single Sign-on

Customers can leverage OAM single-sign on to delegate authentication of Oracle Transportation

Management pages to OAM. Requests are sent to OTM and intercepted by a WebGate installed on the OHS instance. The WebGate looks for an authentication cookie and if not present, redirects the user to OAM for authentication. Once authenticated, the WebGate can store the User ID in a header value, as

a request parameter, or in a cookie. This is configured in OAM and must match the configuration in OTM. The User ID can be the GL User GID or a Nickname. Once that is set the user can access OTM.

Certain users may need to access multiple users in Oracle Transportation Management or login as a reserved user. By omitting the otmUserGid attribute for these users, Oracle Transportation

2 As a separate Java process, the handler does not have direct access to the Identity API.


Management redirects proxy requests to the Oracle Transportation Management login page. This

allows an OAM user direct access to Oracle Transportation Management security.

For clients behind the Oracle Transportation Management intranet, requests can be made directly against the Oracle Transportation Management web server. Though user attributes are still

manageable from OAM, SSO is avoided and intranet users have direct access to Oracle Transportation Management security.


2. Integration Setup

Active Directory Modifications

Oracle Transportation Management requires an otmUser auxiliary object class in the Lightweight

Directory Access Protocol (LDAP) directory holding OAM user information. The class must have the

following attributes:

Attribute Name Description Syntax Size Multiple Values

OID Object ID

otmUserGid Oracle Transportation Management User GID

Printable String

101 No 1911.01.01

otmUserRole Oracle Transportation

Management User Role GID

Printable

String

101 No 1911.01.02

otmUserPreferences Oracle Transportation Management User Preference GID

Printable String

101 No 1911.01.03

otmUserMenus Oracle Transportation

Management User Menu Layout GIDs

Printable

String

101 Yes 1911.01.04

otmNickname Oracle Transportation Management User Nickname

Printable String

101 No 1911.01.05

otmPassword Oracle Transportation Management User Password

Printable String

128 No 1911.01.06

If possible, the otmUserGid attribute should be indexed for faster searches.

The otmUser class must contain the above attributes as optional attributes. Under OID, the class must

be defined as:

Class Description Type Object ID

Superclass Mandatory Attributes

Optional Attributes

otmUser Oracle

Transportation Management User

Auxiliary 1911.01 top otmUserGid

otmUserRole otmUserPreferences otmUserMenus otmNickname otmPassword

Copyright © 2009, 2013, Oracle. All rights reserved. 2-3

Figure 1 shows the Oracle Transportation Management-specific attributes under Oracle Directory Manager.

Figure 1 - Oracle Transportation Management Extension Attributes for OID

Figure 2 shows the Oracle Transportation Management-specific auxiliary class under Oracle Directory Manager.

Figure 2 - Oracle Transportation Management Auxiliary Class for OIM


OAM Identity System Modifications

Adding the Oracle Transportation Management User Class to the Identity Server

Perform the following steps to incorporate the otmUser object class into OAM’s Identity Server:

1. Restart the Identity Server.

2. Bring up the Identity System Console

(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi) , logging in as the

Master Administrator.

3. Select Common Configuration.

4. Select Object Classes.

5. Click Add.

6. Choose a class type of Person and search for the otmUser class in the Object Class list.

Note: Once the otmUser class is added to OAM, it cannot be removed.

7. Click Save. You will be redirected to the Configure Attributes page.

8. Select otmPassword and change its display type to Password, its text size to 128 and its text

length to 30. Click Save.

9. Click Done.

Adding Oracle Transportation Management User Information to User Manager Displays

Perform the following steps to add Oracle Transportation Management user attributes to the OAM user profile:


(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi), logging in as the


2. Select User Manager Configuration.

3. Select Tabs.

4. Select the Employees tab.

5. Click Modify.

6. Select the otmUser class in the Object Class(es) list.

7. Click Save. You will be redirected to the Modify Attributes page. If not, select Modify

Attributes.

8. Select each otm attribute and change the Display Name to specify a better description for an

end user. E.g., Set the display name for otmUserGid to OTM User ID. Make sure to save each

change before moving to the next attribute.

Making Oracle Transportation Management User Information Searchable

Perform the following steps to a user to search for Oracle Transportation Management user information. This allows EXEC actions for Oracle Transportation Management to query Oracle Transportation Management attributes from the identity server.


(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi), logging in as the




3. Select Tabs.


5. Press the View Object Profile button.

6. Select Configure Panels.

7. Press the Create button.

8. Add a panel OTM containing all six Oracle Transportation Management attributes. You may

want to order the attributes by likely frequency of use: OTM User ID, OTM User Role, OTM

User Preferences, OTM User Menus, OTM Nickname, OTM Password.

9. Add an additional attribute for Manager. Only managers can invoke workflows to modify Oracle

Transporation Management attributes so you must specify a valid manager for each Oracle

Transportation Management user.

10. Select the Panel Information Is Complete check box.

11. Click Save.

12. Go back to the View Tab page for Employees.

13. Select the View Search Attributes button. Confirm the six Oracle Transportation

Management attributes are searchable.

Adding Oracle Transportation Management User Information to Search Results

If you want Oracle Transportation Management user information to be displayed on user search results, perform the following steps:

1. Bring up the Identity System Console (http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi), logging in as the



3. Select Tabs.


5. Press the View Search Results Attributes button.

6. Press the Modify button.

7. Add Oracle Transportation Management attributes as needed.

8. Click Save.

Setting Access Control on Oracle Transportation Management Attributes

Only administrators and managers should have read access to Oracle Transportation Management attributes. Direct modify access should be reserved for administrators to force managers to use workflows to change Oracle Transportation Management data (see the Adding Workflows section). To set access control on Oracle Transportation Management attributes, perform the following steps:

1. Login to the User Manager as the Master Administrator and select the Configuration tab.

2. Select Attribute Access Control.

3. Select all attributes and assign their Read rights to Manager and Self.

4. Click Save.

5. Select the all but the six Oracle Transportation Management attributes and assign their Modify

rights to Manager.

6. Click Save.

7. Confirm no role is assigned modify rights for the Oracle Transportation Management

attributes.


Adding Workflows

All user information should be controlled via workflows. These workflows provide steps to validate changes to Oracle Transportation Management user attributes and forward accepted changes to Oracle Transportation Management. This ensures that OAM and Oracle Transportation Management user information is synchronized.

Note that the following sections assume you have familiarity with creating basic and custom workflows. Workflows should already be enabled for adding, modifying, and deactivating non-Oracle Transportation Management users in your enterprise. An additional workflow must be enabled for adding a group. Please consult the OAM Identity and Common Administration Guide for more information.

The workflow examples provided in sections Adding Workflow: Create Oracle Transportation Management User, Adding Workflow: Modify Oracle Transportation Management User, and Adding

Workflow: Delete Oracle Transportation Management User can serve as starting points for more

complex workflows requiring automated or human approval processes. They are provided as simple examples for synchronizing Oracle Transportation Management with OAM in response to external actions.

Adding Workflow: Create Oracle Transportation Management User

Add a workflow to support creation of Oracle Transportation Management users using the following steps:

1. Create a Create User type workflow named Create OTM User.

2. Specify a target domain of OTM, matching the LDAP domain specified for OAM user

information.

3. Add the following workflow steps:

Step Previous Step

Requirement

Attributes Participants Notes

Initiate Required fields for non-Oracle Transportation Management users (e.g. Full Name, Last Name)

Manager

If SSO, include Login and User Password

otmUserGid otmUserRole otmUserPreferences otmUserMenus

otmNickname otmPassword

Anyone Select all Oracle Transportation Management attributes, select the Properties button and set the

kind to Optional.

If not supporting an Oracle Transportation Management intranet, the otmNickname can be Hidden.

If you’re using SSO, you may want to set otmPassword to

hidden. This will use the

default Oracle Transportation Management password in the GL_USER table.


Step Previous Step

Requirement


External Action

1:Initiate = True otmUserGid otmUserRole otmUserPreferences otmUserMenus


Select all Oracle Transportation Management attributes, select the Properties button and set the

kind to Optional.

Enable 2:External Action = True

If the External Action fails due to a validation or communications error, the action returns an error

message to the OAM results page and the action aborts

without creating the user.

4. Save and enable the workflow.

5. View the workflow, taking note of the obworkflowid. This will be used in the Linking Oracle

Transportation Management External Actions section.

Adding Workflow: Modify Oracle Transportation Management User

Add a workflow to support modification of Oracle Transportation Management user information using the following steps:

1. Create a Change Attribute type workflow named Modify OTM User. Select otmUserGid as the

change attribute.


Step Previous Step Requirement


Request otmUserGid otmUserRole otmUserPreferences

otmUserMenus otmNickname otmPassword

Manager Select all Oracle Transportation Management attributes except for

otmUserGid, select the Properties button and set the kind to Optional.

If not supporting an Oracle Transportation Management intranet, the otmNickname

can be Hidden.

If you’re using SSO, you may want to set otmPassword to hidden. This will use the default Oracle Transportation Management password in the GL_USER table.


Step Previous Step

Requirement


External Action

1:Request = True

otmUserGid otmUserRole otmUserPreferences otmUserMenus


Select all Oracle Transportation Management attributes except for otmUserGid, select the

Properties button and set the kind to Optional.

Commit 2:External Action = True

If the External Action fails due to a validation or communications error, the action returns an error

message to the OAM results page and the action aborts

without committing the user modification.




Adding Workflow: Delete Oracle Transportation Management User

Add a workflow to support removal of Oracle Transportation Management users using the following

steps:

5. Create a Deactivate User type workflow named Delete OTM User.


Step Previous Step Requirement


Initiate otmUserGid

Manager

External Action

1:Initiate = True otmUserGid otmUserRole otmUserPreferences

otmUserMenus otmNickname otmPassword

Select all Oracle Transportation Management attributes, select the Properties button and set

the kind to Optional.

Delete 2:External Action

= True

If the External Action fails due

to a validation or communications error, the

action returns an error message to the OAM results page and the action aborts without deleting the user.





Linking Oracle Transportation Management External Actions

OAM communicates with Oracle Transportation Management via two servlets running on an Oracle Transportation Management web server:

a validation servlet, to verify Oracle Transportation Management attribute data exists in the

Oracle Transportation Management schema

an integration servlet, to create/update/delete Oracle Transportation Management users

Three external actions, written in Java, are provided to implement the external actions from the OAM workflows to these Oracle Transportation Management servlets. To install these actions:

1. Make sure a Java Run-Time Environment (JRE) is installed on the identity server.

2. Create a directory on your identity server for the Oracle Transportation Management external

actions. We recommend:

<OAM Identity Server Installation Directory>/oblix/apps/otm

This will be referred to as the OTM Apps Directory.

3. Copy the following files from the OAMExternalActions directory under your Oracle

Transportation Management installation to the Oracle Transportation Management Apps

Directory:

OnOTMUserAdd.jar

OnOTMUserChange.jar

OnOTMUserDelete.jar

xercesImpl.jar

4. Edit the oblixpppcatalog.lst file in the <OAM Identity Server Installation

Directory>/oblix/apps/common/bin directory. Add the following lines:

# Create OTM User

<Create ID>_2_externalaction;exec;;<JRE Directory>/java.exe;-jar <OTM Apps

Directory>/OnOTMUserAdd.jar <args>

# Update OTM User

<Update ID>_2_externalaction;exec;;<JRE Directory>/java.exe;-jar <OTM Apps

Directory>/OnOTMUserChange.jar <args>

# Change User Profile Attribute

userservcenter_inetOrgPerson_onchange;exec;;<JRE Directory>/java.exe;-jar

<OTM Apps Directory>/OnOTMUserChange.jar <args>

# Delete OTM User

<Delete ID>_2_externalaction;exec;;<JRE Directory>/java.exe;-jar <OTM Apps

Directory>/OnOTMUserChange.jar <args>

where:

Create ID = the Create OTM User obworkflowid from the Adding Workflow: Create Oracle

Transportation Management User section.

Update ID = the Update OTM User obworkflowid from the Adding Workflow: Modify Oracle


Delete ID = the Delete OTM User obworkflowid from the Adding Workflow: Delete Oracle


JRE Directory = a Java bin directory, installed on the identity server

OTM Apps Directory = the directory created in Step 2, holding Oracle Transportation

Management external actions


Args = command line arguments for the Oracle Transportation Management external actions.

Each Oracle Transportation Management action takes the same set of arguments. The

following table describes these arguments in detail:

Argument Description Required/Optional Example

-server <protocol//server:port>

The Oracle Transportation Management web

server to use for validation and integration.

Required -server http://otmWeb-01:8080

-user <OTM user> The Oracle Transportation

Management integration user. This

user must have rights to add/modify/delete all Oracle Transportation Management users

possibly sent from OAM.

Note: Managers cannot have direct attribute modify rights due to workflow constraints

so the integration should use a master administrator or a

particular user with assigned rights.

Required -user DBA.ADMIN

-password <password> The Oracle Transportation Management integration password.

Required -password CHANGEME

-email <email address> If the Oracle Transportation

Management integration fails, this email address receives an Oracle Transportation

Management Transmission Error

report.

Optional -email [email protected]

http://otmweb-01:8080/

http://otmweb-01:8080/

mailto:[email protected]



-oamServer <protocol//server:port>

The OAM Identity web server to use for user queries. This is used to retrieve old values when receiving new

values from Update OTM User workflow.

Required for Update OTM User

-oamServer http://oamIdentity:80

-oamUser <OAM user> The OAM user for the query. This user must have read access to all Oracle

Transportation Management

attributes.

Required for Update OTM User

-oamUser orcladmin

-oamPwd <OAM Password>

The OAM password. Required for Update OTM User

-oamPwd mypassword

-log <log file> Specifies a log file on the Identity Server to track OAM to Oracle Transportation Management communication.

Optional -log c:/log/OAMtoOTM.log

-debug Turns on debugging. Intermediate communication files are written to

c:/temp on the

Identity server.

Optional -debug

http://oamidentity/



-manyToOneModel Allows many-to-one mapping between OAM users and Oracle Transportation Management users.

Generally, each Oracle Transportation Management user should map to at most one OAM user. This allows Oracle Transportation

Management credentials and access to be uniquely

associated with an OAM user. There may be cases where

mapping many OAM users to map to the same Oracle Transportation Management user increases scalability.

Optional -manyToOneModel

-retainOTMUsers By default, Oracle Transportation Management deletes an Oracle Transportation

Management user if the corresponding

OAM user is deleted or has its otmUserGid cleared. This option suppresses this behavior. Note that if manyToOneModel is

set, retainOTMUsers is automatically set since multiple OAM users may be associated with the same Oracle Transportation

Management user.

Optional -retainOTMUsers

An example oblixpppcatalog.lst file is provided in the OAMExternalActions directory under your

Oracle Transportation Management installation.

5. Restart your identity server.


Oracle Transportation Management Property Modifications

When user attributes are changed in Oracle Transportation Management, OAM must be notified of the changes. In general, Oracle Transportation Management uses Identity XML to:

Lookup all OAM users referencing the modified Oracle Transportation Management user. These

are users with a matching otmUserGid.

Update the affected attributes on the OAM user

If the Oracle Transportation Management user is deleted, all Oracle Transportation Management attributes are cleared on associated OAM users. If an Oracle Transportation Management user is added, OAM users are searched for matching otmUserGid and all there Oracle Transportation

Management attributes are synchronized with current values.3

The following Oracle Transportation Management properties control communication with OAM:

glog.security.oam.server=<WebPass host>

glog.security.oam.user=<OAM user>

glog.security.oam.password=<OAM password>

Note: The OAM user must have modify rights to all Oracle Transportation Management attributes on all affected OAM users.

To monitor updates from Oracle Transportation Management to OAM, enable the Oracle Transportation Management log ID: OAM.

3 This is unlikely to occur since workflows fail if Oracle Transportation Management/OAM

communication paths are down.


3. Single Sign-on Setup

OAM Access System Modifications

To integrate a single sign-on architecture with Oracle Transportation Management, the access server

needs to associate a policy domain with the Oracle Transportation Management resources.

1. Login to the Access Manager as the Master Administrator and select the Policy Manager tab.

2. Create a new Policy Domain named OTM.

3. Add an http resource type with a URL prefix of /GC3. This will control all access to Oracle

Transportation Management servlets.

4. Create an authorization rule named OTM Authorization. The rule should have a single

success action, returning a HEADERVAR type variable named HTTP_OTM_UID for return attribute

otmUserGid. This forwards the Oracle Transportation Management User GID attribute to

Oracle Transportation Management on successful authorization. Make sure the rule allows

access to the Any one role and enable the rule.

5. Create a default authentication rule named OTM Authentication. Typically, this uses the

basic over LDAP authentication scheme. If you did not configure standard authentication when installing the access server, consult the OAM Access Administration Guide. The authentication

rule should have a single success action, returning a HEADERVAR type variable named

HTTP_OTM_UID for return attribute otmUserGid. This forward the Oracle Transportation Management User GID attribute to Oracle Transportation Management on successful

authentication.

6. Create a default authorization expression named OTM Authorization. This should simply

select the OTM Authorization rule.

7. Create a policy named OTM Policy. This policy should apply to http resources with the /GC3

prefix and cover operations GET, POST, PUT and HEAD.

8. Save and enable the Oracle Transportation Management policy domain.

9. Use Access Tester to verify your policy domain. Specify a URL of http://localhost/GC3/glog,

an operation of GET, show all users with show matching Policy and show matching Rule.

The resulting test should show all users with a policy of OTM Policy, a rule of OTM

Authorization and authorized. E.g.

http://localhost/GC3/glog


OAM Web Server Modifications

Please refer to the OAM Installation Guide for steps on configuring single sign-on with WebGate.

Oracle Transportation Management Property Modifications

To respect header variables sent by OAM authentication and authorization success actions, the Oracle

Transportation Management web server must include the following properties:

glog.security.sso=true

glog.security.sso.appUidName=HTTP_OTM_UID

glog.security.sso.appUidLocation=3

Once SSO is activated, Oracle Transportation Management disables its logout button by default. You can control the display and affect of the logout button with the following optional properties:

glog.security.sso.logoutButton=true

glog.security.sso.logoutUrl=<URL for OAM logout>

E.g., a relative path to the English logout page is: ../access/oblix/lang/en-us/logout.html.

To support an Oracle Transportation Management intranet (see the General Architecture section), users with direct access to the Oracle Transportation Management web server may circumvent OAM

authentication and authorization, logging directly into Oracle Transportation Management. These users always see a logout button and are logged out from Oracle Transportation Management (not OAM) if it is selected.

Configure FTI/GTI with OAM (SSO)

This section provides the steps to configure single sign-on for Fusion Transportation Intelligence (FTI)

/ Global Trade Intelligence (GTI) using Oracle Access Manager (OAM), assuming the users of FTI/GTI

are from Oracle Internet Directory (OID). The groups are assigned to these users by means of an external table GL_USER.

Current Security Mechanism

FTI/GTI uses external table authentication, in which the users and encrypted passwords are saved in a GL_USER table in the database and OBIEE authenticates against them. Access through OTM is done by passing the user name and session ID via URL parameters in the OBIEE URL link and authenticating against the GL_USER_AUTH table.

Prerequisites to use single sign-on (SSO) for FTI/GTI

Oracle Fusion Transportation Intelligence (FTI) or Oracle Global Trade Intelligence (GTI) is

deployed.

Oracle Internet Directory (OID) is installed.

Oracle Access Manager (OAM) is installed and configured with OID.

Only user authentication is to be done by OID. The groups for the user are retrieved from an

external table in the database.

Configuration Process

1. Install Oracle Fusion Middleware 11g Web Tier (11.1.1.5 version or later).

This will install Oracle HTTP Server (OHS).


To install this, a WebLogic server should be up and running. So install OHS on the

WebLogic server used for OBIEE.

The installation steps can be found in: ORACLE® FUSION MIDDLEWARE INSTALLATION GUIDE

FOR ORACLE WEB TIER 11G RELEASE 1 (11.1.1).

2. Configure OHS to access OBIEE.

a. Configure mod_wl_ohs in OHS to forward requests to OBIEE Managed Server

(bi_server1). Modify mod_wl_ohs.conf file to give the WebLogic server details and OBIEE as shown below.

The file is located in

[OHS_HOME]\instances\instance\config\OHS\ohs1\mod_wl_ohs.conf:

<IfModule weblogic_module>

WebLogicHost <host_name>.com

WebLogicPort 7001

Debug ON

</IfModule>

<Location /analytics>

SetHandler weblogic-handler

</Location>

b. Restart OHS.

c. Test if you can access OBIEE via OHS server.

So when URL with ohs-machine:ohs-port/analytics is accessed, the browser will check

for authentication in OAM and then redirect the path to OBIEE analytics.

3. Install WebGate.

Detailed installation steps for WebGate can be found in ORACLE® FUSION MIDDLEWARE

INSTALLATION GUIDE FOR ORACLE IDENTITY MANAGEMENT 11G RELEASE 1 in section 23.3

INSTALLING ORACLE HTTP SERVER 11G WEBGATE FOR ORACLE ACCESS MANAGER.

4. Once Webgate is installed, deploy WebGate into OHS as follows:

a. Go to the <WEBGATE11G_HOME>\webgate\ohs\tools folder.

b. For Windows, run >deployWebGateInstance.bat -w

<OHS_HOME>\instances\instance\config\OHS\otm63 -oh <WEBGATE11G_HOME>

c. For Linux, run >deployWebGateInstance.sh -w

<OHS_HOME>\instances\instance\config\OHS\otm63 -oh <WEBGATE11G_HOME>

d. Add necessary WebGate configuration information to the OSH config files:

i. Add [OHS_HOME]\lib to environmental variable path for this machine.

ii. Go to the <WEBGATE11G_HOME>\webgate\ohs\tools\ folder and locate the

EditHttpConf file.

iii. For Windows, run >EditHttpConf.exe -w

[OHS_HOME]instances\instance\conf\OHS\ohs1 -oh <WEBGATE11G_HOME>.

iv. For Unix, run >EditHttpConf -w

[OHS_HOME]instances\instance\conf\OHS\ohs1 -oh <WEBGATE11G_HOME>.

e. Verify that the following exist:

[OHS_HOME]\instances\instance\config\OHS\ohs1\webgate.conf

[OHS_HOME]\instances\instance\config\OHS\ohs1\http.conf.ORIG

[OHS_HOME]\instances\instance\config\OHS\ohs1\http.conf file coantains

[OHS_HOME]\instances\instance\config\OHS\ohs1\webgate.conf as its last

line.


f. Restart OHS.

5. Create instance of WebGate in OAM 11g as follows:

WebGate is web server plug-in which intercepts user request and communicates to OAM server.

a. Register WebGate11G with OAM server as follows:

i. Go to the <OAM_HOME>\oam\server\rreg\input folder

ii. Edit the OAM11GRequest.xml files as follows:

<OAM11GRegRequest>

<serverAddress>http://<oam_host>.com:<oam_port></serverAddress>

<hostIdentifier>OBIEE_HostId11GLinux</hostIdentifier>

<agentName>OBIEE_OAM11GLinux</agentName>

<agentBaseUrl>http://<ohs_host>.com:<ohs_port></agentBaseUrl>

<applicationDomain>OBIEE_OAM11GLinux</applicationDomain>

<userDefinedParameters>

<userDefinedParam>

<name>RetainDownstreamPostData</name>

<value>true</value>

</userDefinedParam>

</userDefinedParameters>

</OAM11GRegRequest>

iii. Go to the <OAM_home>\oam\server\rreg\bin\ folder

iv. Edit oamreg.bat as follows:

1. REM Change the following value of OAM_REG_HOME to point to correct

rreg folder location, if not already set:

set OAM_REG_HOME="[OAM_HOME]\oam\server\rreg "

2. REM JDK_HOME points to JAVA_HOME env variable. Make sure that

JAVA_HOME is set in your environment:

set JDK_HOME=%JAVA_HOME%

set JAVA_HOME variable pointing to JDK_HOME

v. Windows: At a command prompt, enter the following:

>cd [OAM_HOME]\oam\server\rreg

bin\oamreg.bat inband input\OAM11gRequest.xml

vi. Linux: At a command prompt, enter the following

>cd [OAM_HOME]\oam\server\rreg

bin\oamreg.bat inband input\OAM11gRequest.xml

Note: For the agent, enter the username of weblogic and appropriate password for

that weblogic user.

vii. Set the response OAM_REMOTE_USER as type header in OAM console.

viii. Go to <OAM_HOME>\oam\server\rreg and locate the following files:

ObAccessClient.xml (storing WebGate Config parameters)

cwallet.sso

ix. Copy above files to the OHS installed machine in the following location:

<OHS_HOME>/instances/instance1/config/OHS/ohs1/webgate/config/.

x. Restart OAM.

xi. Restart OHS.


6. Integrate OBIEE 11g with OID for user repository.

By default OBIEE 11g authenticates against WebLogic’s embedded LDAP server using the Default Authentication Provider.

a. You must add an additional Authentication Provider of type OID in the WebLogic

Security Realm in weblogic Administration Console.

b. Set the control flag of that authentication provider to SUFFICIENT.

The control flags available are:

REQUIRED — The Authentication provider is always called, and the user must always pass its authentication test.

SUFFICIENT — If the user passes the authentication test of the Authentication

provider, no other Authentication providers are executed (except Authentication providers with the JAAS Control Flag set to REQUIRED) because the user was

sufficiently authenticated.

REQUISITE — If the user passes the authentication test of this Authentication provider, other providers are executed but can fail (except for Authentication providers with the JAAS Control Flag set to REQUIRED).

OPTIONAL — The user is allowed to pass or fail the authentication test of this

Authentication provider. However, if all Authentication providers configured in a security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the authentication test of one of the configured providers.

c. Place this additional authentication provider on the top of the list.

d. Make sure to keep the Default WebLogic Authentication Provider to allow the

BISystemuser to authenticate the BI server against WebLogic and for other internal

communications.

Note: The configuration steps can be found in ORACLE® FUSION MIDDLEWARE SECURITY

GUIDE FOR ORACLE BUSINESS INTELLIGENCE ENTERPRISE EDITION in section 3 USING

ALTERNATIVE AUTHENTICATION PROVIDERS and in sub-section 3.2.3.1 CONFIGURING

ORACLE BUSINESS INTELLIGENCE TO USE ORACLE INTERNET DIRECTORY AS THE

AUTHENTICATION PROVIDER.

7. In WebLogic enterprise manager, add the property virtualize and set the value to true.

This property allows multiple authentication providers to be configured for OBIEE.



ALTERNATIVE AUTHENTICATION PROVIDERS and sub-section 3.2.3.3 CONFIGURING ORACLE

BUSINESS INTELLIGENCE TO USE MULTIPLE AUTHENTICATION PROVIDERS.

8. Regenerate GUID’s in Oracle BI.

GUID regeneration is the process of regenerating any metadata references to user GUIDs in the Oracle BI repository and Oracle BI Presentation Catalog. During the GUID regeneration process, each user name is looked up in the identity store. Then, all metadata references to the GUID associated with that user name are replaced with the GUID in the identity store.



ALTERNATIVE AUTHENTICATION PROVIDERS and in sub-section 3.2.7 REGENERATING USER

GUIDS.


9. Configure OAMIdentityAsserter as a new security service provider for WebLogic.

a. Add another authentication provider in WebLogic administration console of type

OAMIdentityAsserter.

b. Configure OAM_REMOTE_USER as response header in the OAMIdentityAsserter

authentication provider.

c. Set the control flag of this authentication provider to SUFFICIENT.

d. Move this authentication provider on the top of the list so that the OID authentication

provider appears second top in the list of authentication providers.

Note: The detailed steps are given in ORACLE® FUSION MIDDLEWARE SECURITY GUIDE FOR

ORACLE BUSINESS INTELLIGENCE ENTERPRISE EDITION 11G RELEASE 1 (11.1.1) in section 4 ENABLING SSO AUTHENTICATION and in sub-section 4.4.2 CONFIGURING ORACLE ACCESS

MANAGER AS A NEW IDENTITY ASSERTER FOR ORACLE WEBLOGIC SERVER.

10. Enable OBIEE to use SSO.

a. In the WebLogic enterprise manager, navigate to Business Intelligence >

Coreapplication > security.

b. Enable SSO by choosing Oracle Access Manager.

Note: The detailed steps are given in ORACLE® FUSION MIDDLEWARE SECURITY GUIDE FOR

ORACLE BUSINESS INTELLIGENCE ENTERPRISE EDITION 11G RELEASE 1 (11.1.1) in section

4 ENABLING SSO AUTHENTICATION and in sub-section 4.6 USING FUSION MIDDLEWARE

CONTROL TO ENABLE SSO AUTHENTICATION.

Documents

Oracle® Transportation Management - Oracle Logisticsotm60avrtdev.mavenwire.com/docs/integration/oam_integration.pdf · Oracle Transportation Management web server, adding, modifying,