HomeOracle Page 11 - The Oracle Application Server 10g Infrastructure
SSO Administration Using the mod_osso Utility - Oracle
If you need to handle the administration and management of Oracle Application Server 10g, this article covers the metadata repository (iasdb), the Single Sign-On (SSO) security framework, and the Oracle Application Server 10g Management Services. It is excerpted from chapter 2 of the book, Oracle Application Server 10g Administration Handbook, written by John Garmany and Donald Burleson (McGraw-Hill/Osborne, 2004; ISBN: 0072229586).
As SSO expanded into the Application Server 10g architecture, Oracle recognized that the Oracle HTTP Server (OHS) should be included in the SSO framework. Starting with Application Server 10g version 2, the mod_osso module was created to allow SSO to function within OHS.
Before mod_osso, specific logic would have to be embedded into the Java application if the application was to use SSO. The mod_osso module now makes it easy for incoming users to connect directly to SSO, become authorized, and get the required information to access their applications (Figure 2-5). The mod_osso utility also allows for a single security point, thereby relieving the tedious and cumbersome problem of maintaining multiple securities for each Application Server 10g component.
To see SSO in action, letís look at the steps that occur when an Application Server 10g client connects to his or her application:
The user requests a URL through a web browser. This URL is intercepted by the Oracle HTTP Server. Figure 2-5.Using SSO to connect to Application Server 10g
The HTTP Server calls mod_osso to locate a cookie for the user on the HTTP Server. If the cookie exists, the web server extracts the userís information and uses it to log the user in to the requested application. At this point the connection is established.
If the cookie does not exist on the HTTP Server, mod_osso redirects the user to the Single Sign-On server.
The Single Sign-On server makes a request back to the userís browser to see if a local cookie exists on the userís PC. If it finds no remote cookie, SSO tries to authenticate the user with a username and password. If authentication is successful, the Single Sign-On server creates a cookie in the browser as a reminder that the user has been authenticated. If a cookie exists, the Single Sign-On server will authenticate using the cookie.
Upon successful sign-on, the SSO server then returns the userís encrypted information to mod_osso.
mod_osso creates a cookie for the user and sends it to the browser PC. It then redirects the user to his or her original URL page.
As you see, mod_osso is an alternative method for maintaining SSO, but it is not as powerful as server-side scripting for command interfaces.
The Oracle Application Server 10g infrastructure is a critical component of your enterprise because it serves as a centralized repository and management facility that controls the operation of several vital components. The focus of this chapter has been on the configuration and management of the infrastructure, and the main points are as follows:
The Application Server 10g infrastructure is a database instance with an ORACLE_SID of iasdb.
The iasdb instance contains separate schemas for each component within the Application Server 10g architecture.
The infrastructure database contains more than 10,000 objects and over 1000 individual tables.
The infrastructure contains log tables that monitor administration and usage activities for several Application Server 10g components, including Portal and SSO.
Startup and shutdown of the infrastructure must be carefully coordinated with other system processes, such that the infrastructure is started before the Application Server 10g components. Upon shutdown, the Application Server 10g processes and services must be stopped before shutting down the infrastructure. Scripts are the recommended way of doing this!
Because the infrastructure is a central point of failure for the entire enterprise, administrators commonly use tools such as Oracle9i and Oracle Data Guard or Oracle Real Application Clusters to ensure against instance failure. Many administrators also use multiple levels of RAID to ensure against unexpected disk failure.
The SSO component of the Application Server 10g repository is arguably one of the single most important components of the enterprise. All incoming connections to the Application Server 10g must pass through the infrastructure SSO login server; thus it is vital that the SSO login server be continuously available for servicing HTTP requests.
In the next chapter we will look at details of the initial installation and configuration of Application Server 10g and its components.