January 2014
Oracle Transportation Management OAM Integration Guide, Release 6.3
Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. iii
Contents
CONTENTS................................................................................................. IV
PREFACE ................................................................................................... VI
iv Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Send Us Your Comments
Oracle Transportation Management OAM Integration Guide, Release 6.3
Oracle welcomes your comments and suggestions on the quality and usefulness of this publication.
Your input is an important part of the information used for revision.
If you have problems with the software, contact Support at https://support.oracle.com or find the
Support phone number for your region at http://www.oracle.com/support/contact.html.
Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. v
Preface
This document provides guidelines for integrating Oracle Access Manager (OAM) with Oracle
Transportation Management (OTM). It includes an architectural overview as well as step-by-step
instructions to configure both products for interoperability. System architects should use this
document to design a common security layer that incorporates Oracle Transportation Management.
System integrators should use this document to implement communication between the products. This
connection ensures security data is synchronized between the two products.
Change History
Date Document Revision Summary of Changes
2/2013 -02 Added new section on Configuring FTI with OAM (SSO) Bug
16317373
8/2013 -03 Updates for OAM and WebGate for Single Signon
12/2013 -04 Reworked section on Configuring FTI with OAM to include new
product GTI. Section is now titled “Configuring FTI/GTI with OAM
(SSO).
vi Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
1. General Architecture
An OAM/Oracle Transportation Management integration environment consists of three distinct
subsystems:
A secure intranet running Oracle Transportation Management web and application servers.
Each web server runs Oracle HTTP Server fronting a Tomcat servlet engine. The application
servers run on WebLogic. HTTP requests are accepted on port 8080.
One or more OAM web servers running Web Pass, Policy Manager and Web Gate. While OAM
supports a number of web server platforms, Oracle Transportation Management is certified
against the Oracle HTTP Server. HTTP requests are accepted on port 80.
An OAM server zone. This consists of one or more Identity and Access servers backed by an
Oracle Internet Directory (OID) active directory.
To manage enterprise users, an administrator accesses an OAM web server to add, update, and
remove user information from the OAM Identity Server. To implement single sign-on, OTM's OHS
server has a WebGate installed that communicates with OAM for authenticating, and authorizing
enterprise users.
User Synchronization
Shared Attributes
An auxiliary object class (otmUser) in the active directory defines attributes shared by Oracle
Transportation Management and OAM. These attributes include:
The Oracle Transportation Management user ID. This links an OAM enterprise user to a specific
Oracle Transportation Management user. Two mapping models can be used. In the one-to-one
model, an OAM user may map to at most one Oracle Transportation Management user. This
provides an OAM manager full control over Oracle Transportation Management attributes
without inadvertently affecting other users. Conversely, the many-to-one model supports a
user mapping many OAM users map to a single Oracle Transportation Management user. In an
environment with tens of thousands of users, this improves Oracle Transportation
Management scalability at the cost of reduced control.
The Oracle Transportation Management user role. This is the default user role GID for the
Oracle Transportation Management user.
The Oracle Transportation Management user preferences. If specified, a User Preferences
access record is added to Oracle Transportation Management, specifying a user preference
override for this user.
The Oracle Transportation Management user menus. If specified, a User Menu access record is
added to Oracle Transportation Management, specifying one or more user menu layout
overrides for this user.
The Oracle Transportation Management nickname. An alternate login for Oracle Transportation
Management intranet users.
The Oracle Transportation Management user password. If single sign-on is not used or intranet
users are supported, OAM managers can control the Oracle Transportation Management
password. If left blank, the Oracle Transportation Management password is set to a default.
Changes to these attributes made in OAM are reflected in the Oracle Transportation Management
schema and user management pages. Changes to these attributes made in Oracle Transportation
Management are reflected in the OAM user panels.
Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-7
OAM to Oracle Transportation Management
Changes made to Oracle Transportation Management attributes in OAM are validated and forward to
Oracle Transportation Management. This is done through four custom event handlers:
1. An external action in the Create OTM User workflow. This action validates Oracle
Transportation Management user information via an Oracle Transportation Management
servlet. If validation succeeds, the action sends a User XML integration message to the Oracle
Transportation Management web server, adding or modifying the corresponding Oracle
Transportation Management user. This workflow should be available to all OAM users with
rights to add Oracle Transportation Management users. When such a user selects Create
User Identity from the User Manager, they can opt to create a basic user or to create an
Oracle Transportation Management user. The Oracle Transportation Management user flow
triggers the Create OTM User workflow.
2. An external action in the Modify OTM User workflow. This action validates Oracle
Transportation Management user information via an Oracle Transportation Management web
server servlet. If validation succeeds, the action sends a User XML integration message to the
Oracle Transportation Management web server, adding, modifying, or deleting the
corresponding Oracle Transportation Management user.1 This workflow should be available to
all managers. When a manager tries to modify an OAM user, the Oracle Transportation
Management attributes are only accessible via a Request to Remove or Request to Modify
button on the Oracle Transportation Management user GID. These buttons trigger the Modify
OTM User workflow.
3. An external action in the Delete OTM User workflow. This action sends a User XML integration
message to the Oracle Transportation Management web server, removing the corresponding
Oracle Transportation Management user. If the Identity Server is configured with the many-to-
one user model, this action is ignored.
4. An on-change handler for the inetOrgPerson object class. An administrator (e.g. orcladmin)
may modify Oracle Transportation Management attributes directly without triggering the
Modify OTM User workflow. Any changes to Oracle Transportation Management attributes are
still validated against an Oracle Transportation Management servlet and User XML is sent to
Oracle Transportation Management.
Any validation or communication errors are embedded into the OAM event or Presentation XML and
displayed to the OAM user. If the errors occurred within the Create, Modify, or Delete workflow, the
workflow is aborted: OAM user changes are not committed. If an error occurs during the on change
handler for inetOrgPerson, OAM user changes are committed. As this can lead to inconsistencies
between OAM and Oracle Transportation Management user information, when possible avoid
modifying Oracle Transportation Management attributes as an administrator.
Oracle Transportation Management provides three executable jar files to implement event handlers:
OnOTMUserAdd.jar, OnOTMUserChange.jar and OnOTMUserDelete.jar. The OnOTMUserChange.jar is
used for both the Modify External action and for On Change Events to inetOrgPerson. These handlers
are written in Java and run in a separate process space from the Identity Server.
Validation
The following are current validation checks performed by Oracle Transportation Management:
1
If the OTM User GID is cleared in OTM, and the Identity Server supports a one-to-one user
model, the corresponding OTM user is deleted.
1-8 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Reserved Users. Oracle Transportation Management ADMIN and DEFAULT users are reserved.
OAM cannot associate a user with an Oracle Transportation Management reserved user. If you
want an OAM user to login as an Oracle Transportation Management reserved user, leave their
Oracle Transportation Management User GID blank. When accessing Oracle Transportation
Management, they will be prompted to enter an Oracle Transportation Management user and
password and can directly login as a reserved user.
One-to-one User Model. If the Identity Server is using the one-to-one user model, an Oracle
Transportation Management User GID can be referenced by at most one OAM user. The one-
to-one model is specified in the oblixpppcatalog.lst configuration file on the Identity
Server.
Valid Domain. When specifying a new Oracle Transportation Management User GID, the
domain name must be a valid domain from the Oracle Transportation Management DOMAIN
table.
Old Password. When modifying an Oracle Transportation Management password for an
existing Oracle Transportation Management user, the previous password stored in OAM must
match the password stored in Oracle Transportation Management. This is necessary to meet
the credential requirements for User XML.
Nickname. Each Oracle Transportation Management Nickname must be unique across all
Oracle Transportation Management users.
User Role. The user role must match a USER_ROLE_GID from the Oracle Transportation
Management USER_ROLE table.
User Preferences. The user preferences must match a USER_PREFERENCE_GID from the
Oracle Transportation Management USER_PREFERENCE table.
User Menus. Each user menu must match a USER_MENU_LAYOUT_GID from the Oracle
Transportation Management USER_MENU_LAYOUT table.
It’s possible for validation to succeed but for Oracle Transportation Management to encounter errors
processing the User XML. E.g., the Oracle Transportation Management user specified in
oblixpppcatalog.lst may only have rights to add users for a particular Oracle Transportation
Management domain. If the OAM administrator tries to associate an OAM user with an Oracle
Transportation Management user outside that domain, the resulting VPD error is not caught until the
User XML is processed. This occurs asynchronously, independently of the OAM workflow. To catch
these errors, you can configure OAM to send out Oracle Transportation Management transaction report
error emails to a monitoring mailbox (the Linking Oracle Transportation Management External Actions
section). Any errors received in this mailbox require manual synchronization of the OAM and Oracle
Transportation Management users.
User XML
User XML integration messages are an Oracle Transportation Management 6.0 extension to the Oracle
Transportation Management integration layer. The schema for the new GLogElement is:
Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-9
1-10 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
OAM integration leverages the GlUserGid, TransactionCode, Nickname, UserPassword, UserRoleGid,
UserPreferenceGid, UserMenuLayoutGid, and IsFromOAM elements. The IsFromOAM ensures that
updates from OAM to Oracle Transportation Management don’t trigger any updates back to OAM.
The event handlers only forward fields that have changed. For workflow events, the handler retrieves
previous values by querying the OAM web server with Identity XML2. It then compares these against
the new values supplied by the workflow and constructs an appropriate User XML.
Access Requirements
Event handlers running on the Identity Server must have HTTP access to both the OAM Web Pass web
server and the Oracle Transportation Management integration web server.
User Manager, including the Remove User, Update Nickname, Update Password, and Update
User Role actions.
Manage User Access with the User Preference access type. This corresponds to the OAM
otmUserPreferences attribute when the User Access User ID is specific to the Oracle
Transportation Management user.
Manage User Access with the User Menu access type. This corresponds to the OAM
otmUserMenus attribute when the User Access User ID is specific to the Oracle Transportation
Management user.
Change Password
When a user change is detected, Oracle Transportation Management interacts with an OAM Web Pass
web server to:
Identify all distinguished names whose otmUserGid matches the modified user.
For modified or removed user fields, update the attribute on all matching OAM users.
For removed users, clear the otmUserGid field on all matching OAM users.
If the OAM server is not available, the Oracle Transportation Management action throws an
exception and user changes are not committed.
Single Sign-on
Customers can leverage OAM single-sign on to delegate authentication of Oracle Transportation
Management pages to OAM. Requests are sent to OTM and intercepted by a WebGate installed on the
OHS instance. The WebGate looks for an authentication cookie and if not present, redirects the user to
OAM for authentication. Once authenticated, the WebGate can store the User ID in a header value, as
a request parameter, or in a cookie. This is configured in OAM and must match the configuration in
OTM. The User ID can be the GL User GID or a Nickname. Once that is set the user can access OTM.
Certain users may need to access multiple users in Oracle Transportation Management or login as a
reserved user. By omitting the otmUserGid attribute for these users, Oracle Transportation
2
As a separate Java process, the handler does not have direct access to the Identity API.
Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-11
Management redirects proxy requests to the Oracle Transportation Management login page. This
allows an OAM user direct access to Oracle Transportation Management security.
For clients behind the Oracle Transportation Management intranet, requests can be made directly
against the Oracle Transportation Management web server. Though user attributes are still
manageable from OAM, SSO is avoided and intranet users have direct access to Oracle Transportation
Management security.
1-12 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
2. Integration Setup
Active Directory Modifications
Oracle Transportation Management requires an otmUser auxiliary object class in the Lightweight
Directory Access Protocol (LDAP) directory holding OAM user information. The class must have the
following attributes:
The otmUser class must contain the above attributes as optional attributes. Under OID, the class must
be defined as:
Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 2-1
Figure 1 shows the Oracle Transportation Management-specific attributes under Oracle Directory Manager.
Figure 2 shows the Oracle Transportation Management-specific auxiliary class under Oracle Directory Manager.
2-4 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
3. Select Tabs.
4. Select the Employees tab.
5. Press the View Object Profile button.
6. Select Configure Panels.
7. Press the Create button.
8. Add a panel OTM containing all six Oracle Transportation Management attributes. You may
want to order the attributes by likely frequency of use: OTM User ID, OTM User Role, OTM
User Preferences, OTM User Menus, OTM Nickname, OTM Password.
9. Add an additional attribute for Manager. Only managers can invoke workflows to modify Oracle
Transporation Management attributes so you must specify a valid manager for each Oracle
Transportation Management user.
10. Select the Panel Information Is Complete check box.
11. Click Save.
12. Go back to the View Tab page for Employees.
13. Select the View Search Attributes button. Confirm the six Oracle Transportation
Management attributes are searchable.
Adding Oracle Transportation Management User Information to Search Results
If you want Oracle Transportation Management user information to be displayed on user search
results, perform the following steps:
1. Login to the User Manager as the Master Administrator and select the Configuration tab.
2. Select Attribute Access Control.
3. Select all attributes and assign their Read rights to Manager and Self.
4. Click Save.
5. Select the all but the six Oracle Transportation Management attributes and assign their Modify
rights to Manager.
6. Click Save.
7. Confirm no role is assigned modify rights for the Oracle Transportation Management
attributes.
Note that the following sections assume you have familiarity with creating basic and custom
workflows. Workflows should already be enabled for adding, modifying, and deactivating non-Oracle
Transportation Management users in your enterprise. An additional workflow must be enabled for
adding a group. Please consult the OAM Identity and Common Administration Guide for more
information.
The workflow examples provided in sections Adding Workflow: Create Oracle Transportation
Management User, Adding Workflow: Modify Oracle Transportation Management User, and Adding
Workflow: Delete Oracle Transportation Management User can serve as starting points for more
complex workflows requiring automated or human approval processes. They are provided as simple
examples for synchronizing Oracle Transportation Management with OAM in response to external
actions.
Add a workflow to support creation of Oracle Transportation Management users using the following
steps:
2-6 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Step Previous Step Attributes Participants Notes
Requirement
Add a workflow to support modification of Oracle Transportation Management user information using
the following steps:
1. Create a Change Attribute type workflow named Modify OTM User. Select otmUserGid as the
change attribute.
2. Add the following workflow steps:
Step Previous Step Attributes Participants Notes
Requirement
Add a workflow to support removal of Oracle Transportation Management users using the following
steps:
2-8 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Linking Oracle Transportation Management External Actions
OAM communicates with Oracle Transportation Management via two servlets running on an Oracle
Transportation Management web server:
a validation servlet, to verify Oracle Transportation Management attribute data exists in the
Oracle Transportation Management schema
an integration servlet, to create/update/delete Oracle Transportation Management users
Three external actions, written in Java, are provided to implement the external actions from the OAM
workflows to these Oracle Transportation Management servlets. To install these actions:
1. Make sure a Java Run-Time Environment (JRE) is installed on the identity server.
2. Create a directory on your identity server for the Oracle Transportation Management external
actions. We recommend:
3. Copy the following files from the OAMExternalActions directory under your Oracle
Transportation Management installation to the Oracle Transportation Management Apps
Directory:
OnOTMUserAdd.jar
OnOTMUserChange.jar
OnOTMUserDelete.jar
xercesImpl.jar
where:
Create ID = the Create OTM User obworkflowid from the Adding Workflow: Create Oracle
Transportation Management User section.
Update ID = the Update OTM User obworkflowid from the Adding Workflow: Modify Oracle
Transportation Management User section.
Delete ID = the Delete OTM User obworkflowid from the Adding Workflow: Delete Oracle
Transportation Management User section.
JRE Directory = a Java bin directory, installed on the identity server
OTM Apps Directory = the directory created in Step 2, holding Oracle Transportation
Management external actions
Note: Managers
cannot have direct
attribute modify
rights due to
workflow constraints
so the integration
should use a master
administrator or a
particular user with
assigned rights.
2-10 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Argument Description Required/Optional Example
-oamUser <OAM user> The OAM user for the Required for Update -oamUser orcladmin
query. This user must OTM User
have read access to
all Oracle
Transportation
Management
attributes.
-oamPwd <OAM The OAM password. Required for Update -oamPwd mypassword
Password> OTM User
2-12 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle Transportation Management Property Modifications
When user attributes are changed in Oracle Transportation Management, OAM must be notified of the
changes. In general, Oracle Transportation Management uses Identity XML to:
Lookup all OAM users referencing the modified Oracle Transportation Management user. These
are users with a matching otmUserGid.
Update the affected attributes on the OAM user
If the Oracle Transportation Management user is deleted, all Oracle Transportation Management
attributes are cleared on associated OAM users. If an Oracle Transportation Management user is
added, OAM users are searched for matching otmUserGid and all there Oracle Transportation
Management attributes are synchronized with current values.3
The following Oracle Transportation Management properties control communication with OAM:
glog.security.oam.server=<WebPass host>
glog.security.oam.user=<OAM user>
glog.security.oam.password=<OAM password>
Note: The OAM user must have modify rights to all Oracle Transportation Management attributes on
all affected OAM users.
To monitor updates from Oracle Transportation Management to OAM, enable the Oracle Transportation
Management log ID: OAM.
3
This is unlikely to occur since workflows fail if Oracle Transportation Management/OAM
communication paths are down.
1. Login to the Access Manager as the Master Administrator and select the Policy Manager tab.
2. Create a new Policy Domain named OTM.
3. Add an http resource type with a URL prefix of /GC3. This will control all access to Oracle
Transportation Management servlets.
4. Create an authorization rule named OTM Authorization. The rule should have a single
success action, returning a HEADERVAR type variable named HTTP_OTM_UID for return attribute
otmUserGid. This forwards the Oracle Transportation Management User GID attribute to
Oracle Transportation Management on successful authorization. Make sure the rule allows
access to the Any one role and enable the rule.
5. Create a default authentication rule named OTM Authentication. Typically, this uses the
basic over LDAP authentication scheme. If you did not configure standard authentication when
installing the access server, consult the OAM Access Administration Guide. The authentication
rule should have a single success action, returning a HEADERVAR type variable named
HTTP_OTM_UID for return attribute otmUserGid. This forward the Oracle Transportation
Management User GID attribute to Oracle Transportation Management on successful
authentication.
6. Create a default authorization expression named OTM Authorization. This should simply
select the OTM Authorization rule.
7. Create a policy named OTM Policy. This policy should apply to http resources with the /GC3
prefix and cover operations GET, POST, PUT and HEAD.
8. Save and enable the Oracle Transportation Management policy domain.
9. Use Access Tester to verify your policy domain. Specify a URL of http://localhost/GC3/glog,
an operation of GET, show all users with show matching Policy and show matching Rule.
The resulting test should show all users with a policy of OTM Policy, a rule of OTM
Authorization and authorized. E.g.
glog.security.sso=true
glog.security.sso.appUidName=HTTP_OTM_UID
glog.security.sso.appUidLocation=3
Once SSO is activated, Oracle Transportation Management disables its logout button by default. You
can control the display and affect of the logout button with the following optional properties:
glog.security.sso.logoutButton=true
glog.security.sso.logoutUrl=<URL for OAM logout>
To support an Oracle Transportation Management intranet (see the General Architecture section),
users with direct access to the Oracle Transportation Management web server may circumvent OAM
authentication and authorization, logging directly into Oracle Transportation Management. These users
always see a logout button and are logged out from Oracle Transportation Management (not OAM) if it
is selected.
3-2 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
To install this, a WebLogic server should be up and running. So install OHS on the
WebLogic server used for OBIEE.
The installation steps can be found in: O RACLE ® F USION MIDDLEWARE I NSTALLATION G UIDE
FOR O RACLE W EB T IER 11 G R ELEASE 1 (11.1.1).
<Location /analytics>
SetHandler weblogic-handler
</Location>
b. Restart OHS.
c. Test if you can access OBIEE via OHS server.
Note: For the agent, enter the username of weblogic and appropriate password for
that weblogic user.
3-4 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
6. Integrate OBIEE 11g with OID for user repository.
By default OBIEE 11g authenticates against WebLogic’s embedded LDAP server using the
Default Authentication Provider.
a. You must add an additional Authentication Provider of type OID in the WebLogic
Security Realm in weblogic Administration Console.
b. Set the control flag of that authentication provider to SUFFICIENT.
The control flags available are:
REQUIRED — The Authentication provider is always called, and the user must always
pass its authentication test.
OPTIONAL — The user is allowed to pass or fail the authentication test of this
Authentication provider. However, if all Authentication providers configured in a
security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the
authentication test of one of the configured providers.
7. In WebLogic enterprise manager, add the property virtualize and set the value to true.
Note: The configuration steps can be found in O RACLE ® FUSION MIDDLEWARE S ECURITY
GUIDE FOR O RACLE BUSINESS I NTELLIGENCE E NTERPRISE EDITION in section 3 USING
ALTERNATIVE AUTHENTICATION P ROVIDERS and in sub-section 3.2.7 R EGENERATING USER
GUIDS.
3-6 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.