Oracle9iAS Portal uses the Single Sign-On (SSO) Server for user authentication. When a user first comes to the portal, they see only the public pages and content. In order to see the restricted content, they must click the Login link to be authenticated as an authorized user. The Login link takes the user to the SSO Server login page, where they can enter their user name and password.
The SSO Server verifies the user name and password against the credentials stored in Oracle Internet Directory (OID). If the authentication is successful, the SSO Server creates a session cookie for the user. Oracle9iAS Portal uses the information in the session cookie to query the user's privileges specified in OID.
Oracle9iAS Portal can be configured to make OID connections over an SSL encrypted session. By default, Oracle9iAS Portal connects to OID using LDAP without SSL. If the OID server is configured for an SSL port, then Oracle9iAS Portal can be configured to use LDAP over SSL, also known as LDAPS.
Please see the OID documentation on Oracle Technology Network for how to configure OID for an LDAPS port.
To configure Oracle9iAS Portal to use SSL to OID, the wwc/secupoid.sql script is provided. This script allows you to change the following configuration parameters related to OID in Oracle9iAS Portal:
OID host name
OID port
Application's OID Password
SSL Setting
When you install Oracle9iAS Portal, the association with an OID server is automatically done. However, you may want to change some settings after installation. For example, you may want to switch OID to use SSL, as it installs by default in non-SSL mode.
To do this, run the secupoid.sql script in the PORTAL schema and specify the LDAPS port instead of the LDAP port and indicate that you want to use SSL.
In the example below, the OID server was initially configured to run LDAP on 389, and then an LDAPS port was activated on 636. Since the server name does not change, retain the old value and update the port to indicate to use SSL by setting the 'Use SSL?' value to "Y".
Running the script shows you the current configuration and then lets you replace any of the four values specified above.
The script also lets you update the portal's OID cache after running. Since activating SSL does not change any of the information that the portal caches from OID, it's not necessary to refresh the cache.
Example execution:
=================
SQL*Plus: Release
9.0.1.0.0 - Production on Thu Nov 29 17:55:43 2001
(c) Copyright 2001 Oracle
Corporation. All rights reserved.
Connected to:
Oracle9i Release 9.0.1.1.0
- Production
JServer Release 9.0.1.0.0
- Production
SQL> @secupoid
Current Configuration
--------------------
OID Host: oid.domain.com
OID Port: 389
Application DN:
orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext
Application Password: 3E8C2D1B87CB61011757239C5AA9B390
Use SSL? N
PL/SQL procedure
successfully completed.
Updating OID Configuration Entries
Press [Enter] to retain
the current value for each parameter
For SSL Connection to
LDAP, specify "Y"es or "N"o ------------------------------------------------
Enter value for oid_host:
Enter value for oid_port: 636
Enter value for app_password:
Enter value for
use_ssl_to_connect_to_ldap: Y
Enter value for
refresh_with_new_settings: N
PL/SQL procedure
successfully completed.
No errors.
SQL>
After executing the script, Oracle9iAS Portal is configured for LDAPS access of the OID server. Oracle9iAS Portal never passes a user's password to the OID server. Only the SSO Server does that. However, Oracle9iAS Portal authenticates to the OID server through its application entry and uses the application password. This account can proxy as any user because it has proxy privileges and so it is also an account that needs to be protected.
To change the application's password in OID, first change the password in OID, using command line utilities or the Oracle Directory Manager tool. The application entry DN is reported by the secupoid.sql script. By default, the Oracle9iAS Portal's application entry is:
orclApplicationCommonName=PORTAL,cn=Portal,cn=Products,cn=OracleContext
To change the password, set the userPassword attribute to the desired value. Then run upsecoid.sql in the PORTAL schema. Specify the new password there so that Oracle9iAS Portal can encrypt it and keep it in the portal preference store so that it can retrieve it when it needs to connect to OID.
Managing users and groups
What are the different types of user accounts?
What is a portal administrator?
What is a public user?
What is an authorized user?
What users are created by default?
What is the difference between an Oracle
database user and a Portal user?