Oracle® Transportation Management

OAM Integration Guide

Release 6.3
Part No. E38430-04

January 2014
Oracle Transportation Management OAM Integration Guide, Release 6.3

Part No. E38430-04

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
This software and related documentation are provided under a license agreement containing
restrictions on use and disclosure and are protected by intellectual property laws. Except as expressly
permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate,
broadcast, modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any
form, or by any means. Reverse engineering, disassembly, or decompilation of this software, unless
required by law for interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-
free. If you find any errors, please report them to us in writing.
If this is software or related documentation that is delivered to the U.S. Government or anyone
licensing it on behalf of the U.S. Government, the following notice is applicable:
U.S. GOVERNMENT END USERS: Oracle programs, including any operating system, integrated
software, any programs installed on the hardware, and/or documentation, delivered to U.S.
Government end users are "commercial computer software" pursuant to the applicable Federal
Acquisition Regulation and agency-specific supplemental regulations. As such, use, duplication,
disclosure, modification, and adaptation of the programs, including any operating system, integrated
software, any programs installed on the hardware, and/or documentation, shall be subject to license
terms and license restrictions applicable to the programs. No other rights are granted to the U.S.
Government.
This software or hardware is developed for general use in a variety of information management
applications. It is not developed or intended for use in any inherently dangerous applications, including
applications that may create a risk of personal injury. If you use this software or hardware in
dangerous applications, then you shall be responsible to take all appropriate fail-safe, backup,
redundancy, and other measures to ensure its safe use. Oracle Corporation and its affiliates disclaim
any liability for any damages caused by use of this software or hardware in dangerous applications.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be
trademarks of their respective owners.
Intel and Intel Xeon are trademarks or registered trademarks of Intel Corporation. All SPARC
trademarks are used under license and are trademarks or registered trademarks of SPARC
International, Inc. AMD, Opteron, the AMD logo, and the AMD Opteron logo are trademarks or
registered trademarks of Advanced Micro Devices. UNIX is a registered trademark of The Open Group.
This software or hardware and documentation may provide access to or information on content,
products, and services from third parties. Oracle Corporation and its affiliates are not responsible for
and expressly disclaim all warranties of any kind with respect to third-party content, products, and
services. Oracle Corporation and its affiliates will not be responsible for any loss, costs, or damages
incurred due to your access to or use of third-party content, products, or services.
For information about Oracle's commitment to accessibility, visit the Oracle Accessibility Program
website at http://www.oracle.com/pls/topic/lookup?ctx=acc&id=docacc.
Access to Oracle Support
Oracle customers have access to electronic support through My Oracle Support. For information, visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=info or visit
http://www.oracle.com/pls/topic/lookup?ctx=acc&id=trs if you are hearing impaired.

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. iii
 Contents
CONTENTS................................................................................................. IV

SEND US YOUR COMMENTS ......................................................................... V

PREFACE ................................................................................................... VI

CHANGE HISTORY .................................................................................................... VI

1. GENERAL ARCHITECTURE .................................................................. 1-7

USER SYNCHRONIZATION ........................................................................................ 1-7

SHARED ATTRIBUTES ............................................................................................................. 1-7
OAM TO ORACLE TRANSPORTATION MANAGEMENT ........................................................................... 1-8
ORACLE TRANSPORTATION MANAGEMENT TO OAM ......................................................................... 1-11
SINGLE SIGN-ON ................................................................................................. 1-11
2. INTEGRATION SETUP ........................................................................ 2-1

ACTIVE DIRECTORY MODIFICATIONS ......................................................................... 2-1

OAM IDENTITY SYSTEM MODIFICATIONS ................................................................... 2-4
ADDING THE ORACLE TRANSPORTATION MANAGEMENT USER CLASS TO THE IDENTITY SERVER ......................... 2-4
ADDING ORACLE TRANSPORTATION MANAGEMENT USER INFORMATION TO USER MANAGER DISPLAYS ................. 2-4
MAKING ORACLE TRANSPORTATION MANAGEMENT USER INFORMATION SEARCHABLE .................................... 2-4
ADDING ORACLE TRANSPORTATION MANAGEMENT USER INFORMATION TO SEARCH RESULTS ........................... 2-5
SETTING ACCESS CONTROL ON ORACLE TRANSPORTATION MANAGEMENT ATTRIBUTES ................................... 2-5
ADDING WORKFLOWS ............................................................................................................ 2-6
ORACLE TRANSPORTATION MANAGEMENT PROPERTY MODIFICATIONS ............................. 2-13
3. SINGLE SIGN-ON SETUP .................................................................... 3-1

OAM ACCESS SYSTEM MODIFICATIONS ...................................................................... 3-1

OAM WEB SERVER MODIFICATIONS .......................................................................... 3-2
ORACLE TRANSPORTATION MANAGEMENT PROPERTY MODIFICATIONS ............................... 3-2
CONFIGURE FTI/GTI WITH OAM (SSO) ................................................................... 3-2
CURRENT SECURITY MECHANISM ................................................................................................ 3-2
PREREQUISITES TO USE SINGLE SIGN-ON (SSO) FOR FTI/GTI ............................................................. 3-2
CONFIGURATION PROCESS ....................................................................................................... 3-2

iv Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
 Send Us Your Comments
Oracle Transportation Management OAM Integration Guide, Release 6.3

Part No. E38430-04

Oracle welcomes your comments and suggestions on the quality and usefulness of this publication.
Your input is an important part of the information used for revision.

 Did you find any errors?

 Is the information clearly presented?
 Do you need more information? If so, where?
 Are the examples correct? Do you need more examples?
 What features did you like most about this manual?
If you find any errors or have any other suggestions for improvement, please indicate the title and
part number of the documentation and the chapter, section, and page number (if available). You can
send comments to us in the following ways:

 Electronic mail: otm-doc_us@oracle.com

If you would like a reply, please give your name, address, telephone number, and electronic mail
address (optional).

If you have problems with the software, contact Support at https://support.oracle.com or find the
Support phone number for your region at http://www.oracle.com/support/contact.html.

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. v
 Preface
This document provides guidelines for integrating Oracle Access Manager (OAM) with Oracle
Transportation Management (OTM). It includes an architectural overview as well as step-by-step
instructions to configure both products for interoperability. System architects should use this
document to design a common security layer that incorporates Oracle Transportation Management.
System integrators should use this document to implement communication between the products. This
connection ensures security data is synchronized between the two products.

Change History
Date Document Revision Summary of Changes

12/2012 -01 Initial release.

2/2013 -02 Added new section on Configuring FTI with OAM (SSO) Bug
16317373

8/2013 -03 Updates for OAM and WebGate for Single Signon

12/2013 -04 Reworked section on Configuring FTI with OAM to include new
product GTI. Section is now titled “Configuring FTI/GTI with OAM
(SSO).

vi Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
1. General Architecture
An OAM/Oracle Transportation Management integration environment consists of three distinct
subsystems:

 A secure intranet running Oracle Transportation Management web and application servers.
Each web server runs Oracle HTTP Server fronting a Tomcat servlet engine. The application
servers run on WebLogic. HTTP requests are accepted on port 8080.
 One or more OAM web servers running Web Pass, Policy Manager and Web Gate. While OAM
supports a number of web server platforms, Oracle Transportation Management is certified
against the Oracle HTTP Server. HTTP requests are accepted on port 80.
 An OAM server zone. This consists of one or more Identity and Access servers backed by an
Oracle Internet Directory (OID) active directory.
To manage enterprise users, an administrator accesses an OAM web server to add, update, and
remove user information from the OAM Identity Server. To implement single sign-on, OTM's OHS
server has a WebGate installed that communicates with OAM for authenticating, and authorizing
enterprise users.

User Synchronization
Shared Attributes
An auxiliary object class (otmUser) in the active directory defines attributes shared by Oracle
Transportation Management and OAM. These attributes include:

 The Oracle Transportation Management user ID. This links an OAM enterprise user to a specific
Oracle Transportation Management user. Two mapping models can be used. In the one-to-one
model, an OAM user may map to at most one Oracle Transportation Management user. This
provides an OAM manager full control over Oracle Transportation Management attributes
without inadvertently affecting other users. Conversely, the many-to-one model supports a
user mapping many OAM users map to a single Oracle Transportation Management user. In an
environment with tens of thousands of users, this improves Oracle Transportation
Management scalability at the cost of reduced control.
 The Oracle Transportation Management user role. This is the default user role GID for the
Oracle Transportation Management user.
 The Oracle Transportation Management user preferences. If specified, a User Preferences
access record is added to Oracle Transportation Management, specifying a user preference
override for this user.
 The Oracle Transportation Management user menus. If specified, a User Menu access record is
added to Oracle Transportation Management, specifying one or more user menu layout
overrides for this user.
 The Oracle Transportation Management nickname. An alternate login for Oracle Transportation
Management intranet users.
 The Oracle Transportation Management user password. If single sign-on is not used or intranet
users are supported, OAM managers can control the Oracle Transportation Management
password. If left blank, the Oracle Transportation Management password is set to a default.
Changes to these attributes made in OAM are reflected in the Oracle Transportation Management
schema and user management pages. Changes to these attributes made in Oracle Transportation
Management are reflected in the OAM user panels.

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-7
OAM to Oracle Transportation Management
Changes made to Oracle Transportation Management attributes in OAM are validated and forward to
Oracle Transportation Management. This is done through four custom event handlers:

1. An external action in the Create OTM User workflow. This action validates Oracle
Transportation Management user information via an Oracle Transportation Management
servlet. If validation succeeds, the action sends a User XML integration message to the Oracle
Transportation Management web server, adding or modifying the corresponding Oracle
Transportation Management user. This workflow should be available to all OAM users with
rights to add Oracle Transportation Management users. When such a user selects Create
User Identity from the User Manager, they can opt to create a basic user or to create an
Oracle Transportation Management user. The Oracle Transportation Management user flow
triggers the Create OTM User workflow.
2. An external action in the Modify OTM User workflow. This action validates Oracle
Transportation Management user information via an Oracle Transportation Management web
server servlet. If validation succeeds, the action sends a User XML integration message to the
Oracle Transportation Management web server, adding, modifying, or deleting the
corresponding Oracle Transportation Management user.1 This workflow should be available to
all managers. When a manager tries to modify an OAM user, the Oracle Transportation
Management attributes are only accessible via a Request to Remove or Request to Modify
button on the Oracle Transportation Management user GID. These buttons trigger the Modify
OTM User workflow.
3. An external action in the Delete OTM User workflow. This action sends a User XML integration
message to the Oracle Transportation Management web server, removing the corresponding
Oracle Transportation Management user. If the Identity Server is configured with the many-to-
one user model, this action is ignored.
4. An on-change handler for the inetOrgPerson object class. An administrator (e.g. orcladmin)
may modify Oracle Transportation Management attributes directly without triggering the
Modify OTM User workflow. Any changes to Oracle Transportation Management attributes are
still validated against an Oracle Transportation Management servlet and User XML is sent to
Oracle Transportation Management.
Any validation or communication errors are embedded into the OAM event or Presentation XML and
displayed to the OAM user. If the errors occurred within the Create, Modify, or Delete workflow, the
workflow is aborted: OAM user changes are not committed. If an error occurs during the on change
handler for inetOrgPerson, OAM user changes are committed. As this can lead to inconsistencies
between OAM and Oracle Transportation Management user information, when possible avoid
modifying Oracle Transportation Management attributes as an administrator.

Oracle Transportation Management provides three executable jar files to implement event handlers:
OnOTMUserAdd.jar, OnOTMUserChange.jar and OnOTMUserDelete.jar. The OnOTMUserChange.jar is
used for both the Modify External action and for On Change Events to inetOrgPerson. These handlers
are written in Java and run in a separate process space from the Identity Server.

Validation

The following are current validation checks performed by Oracle Transportation Management:

1
If the OTM User GID is cleared in OTM, and the Identity Server supports a one-to-one user
model, the corresponding OTM user is deleted.

1-8 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  Reserved Users. Oracle Transportation Management ADMIN and DEFAULT users are reserved.
OAM cannot associate a user with an Oracle Transportation Management reserved user. If you
want an OAM user to login as an Oracle Transportation Management reserved user, leave their
Oracle Transportation Management User GID blank. When accessing Oracle Transportation
Management, they will be prompted to enter an Oracle Transportation Management user and
password and can directly login as a reserved user.
 One-to-one User Model. If the Identity Server is using the one-to-one user model, an Oracle
Transportation Management User GID can be referenced by at most one OAM user. The one-
to-one model is specified in the oblixpppcatalog.lst configuration file on the Identity
Server.
 Valid Domain. When specifying a new Oracle Transportation Management User GID, the
domain name must be a valid domain from the Oracle Transportation Management DOMAIN
table.
 Old Password. When modifying an Oracle Transportation Management password for an
existing Oracle Transportation Management user, the previous password stored in OAM must
match the password stored in Oracle Transportation Management. This is necessary to meet
the credential requirements for User XML.
 Nickname. Each Oracle Transportation Management Nickname must be unique across all
Oracle Transportation Management users.
 User Role. The user role must match a USER_ROLE_GID from the Oracle Transportation
Management USER_ROLE table.
 User Preferences. The user preferences must match a USER_PREFERENCE_GID from the
Oracle Transportation Management USER_PREFERENCE table.
 User Menus. Each user menu must match a USER_MENU_LAYOUT_GID from the Oracle
Transportation Management USER_MENU_LAYOUT table.
It’s possible for validation to succeed but for Oracle Transportation Management to encounter errors
processing the User XML. E.g., the Oracle Transportation Management user specified in
oblixpppcatalog.lst may only have rights to add users for a particular Oracle Transportation
Management domain. If the OAM administrator tries to associate an OAM user with an Oracle
Transportation Management user outside that domain, the resulting VPD error is not caught until the
User XML is processed. This occurs asynchronously, independently of the OAM workflow. To catch
these errors, you can configure OAM to send out Oracle Transportation Management transaction report
error emails to a monitoring mailbox (the Linking Oracle Transportation Management External Actions
section). Any errors received in this mailbox require manual synchronization of the OAM and Oracle
Transportation Management users.

User XML

User XML integration messages are an Oracle Transportation Management 6.0 extension to the Oracle
Transportation Management integration layer. The schema for the new GLogElement is:

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-9
1-10 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
OAM integration leverages the GlUserGid, TransactionCode, Nickname, UserPassword, UserRoleGid,
UserPreferenceGid, UserMenuLayoutGid, and IsFromOAM elements. The IsFromOAM ensures that
updates from OAM to Oracle Transportation Management don’t trigger any updates back to OAM.

The event handlers only forward fields that have changed. For workflow events, the handler retrieves
previous values by querying the OAM web server with Identity XML2. It then compares these against
the new values supplied by the workflow and constructs an appropriate User XML.

Access Requirements

Event handlers running on the Identity Server must have HTTP access to both the OAM Web Pass web
server and the Oracle Transportation Management integration web server.

Oracle Transportation Management to OAM

Oracle Transportation Management users can change user attributes via integration (i.e. User XML) or
from the following Oracle Transportation Management pages:

 User Manager, including the Remove User, Update Nickname, Update Password, and Update
User Role actions.
 Manage User Access with the User Preference access type. This corresponds to the OAM
otmUserPreferences attribute when the User Access User ID is specific to the Oracle
Transportation Management user.
 Manage User Access with the User Menu access type. This corresponds to the OAM
otmUserMenus attribute when the User Access User ID is specific to the Oracle Transportation
Management user.
 Change Password
When a user change is detected, Oracle Transportation Management interacts with an OAM Web Pass
web server to:

 Identify all distinguished names whose otmUserGid matches the modified user.
 For modified or removed user fields, update the attribute on all matching OAM users.
 For removed users, clear the otmUserGid field on all matching OAM users.
 If the OAM server is not available, the Oracle Transportation Management action throws an
exception and user changes are not committed.

Single Sign-on
Customers can leverage OAM single-sign on to delegate authentication of Oracle Transportation
Management pages to OAM. Requests are sent to OTM and intercepted by a WebGate installed on the
OHS instance. The WebGate looks for an authentication cookie and if not present, redirects the user to
OAM for authentication. Once authenticated, the WebGate can store the User ID in a header value, as
a request parameter, or in a cookie. This is configured in OAM and must match the configuration in
OTM. The User ID can be the GL User GID or a Nickname. Once that is set the user can access OTM.

Certain users may need to access multiple users in Oracle Transportation Management or login as a
reserved user. By omitting the otmUserGid attribute for these users, Oracle Transportation

2
As a separate Java process, the handler does not have direct access to the Identity API.

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 1-11
Management redirects proxy requests to the Oracle Transportation Management login page. This
allows an OAM user direct access to Oracle Transportation Management security.

For clients behind the Oracle Transportation Management intranet, requests can be made directly
against the Oracle Transportation Management web server. Though user attributes are still
manageable from OAM, SSO is avoided and intranet users have direct access to Oracle Transportation
Management security.

1-12 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
2. Integration Setup
Active Directory Modifications
Oracle Transportation Management requires an otmUser auxiliary object class in the Lightweight
Directory Access Protocol (LDAP) directory holding OAM user information. The class must have the
following attributes:

Attribute Name Description Syntax Size Multiple OID Object

Values ID

otmUserGid Oracle Transportation Printable 101 No 1911.01.01

Management User GID String

otmUserRole Oracle Transportation Printable 101 No 1911.01.02

Management User Role String
GID

otmUserPreferences Oracle Transportation Printable 101 No 1911.01.03

Management User String
Preference GID

otmUserMenus Oracle Transportation Printable 101 Yes 1911.01.04

Management User Menu String
Layout GIDs

otmNickname Oracle Transportation Printable 101 No 1911.01.05

Management User String
Nickname

otmPassword Oracle Transportation Printable 128 No 1911.01.06

Management User String
Password

If possible, the otmUserGid attribute should be indexed for faster searches.

The otmUser class must contain the above attributes as optional attributes. Under OID, the class must
be defined as:

Class Description Type Object Superclass Mandatory Optional

ID Attributes Attributes

otmUser Oracle Auxiliary 1911.01 top otmUserGid

Transportation otmUserRole
Management otmUserPreferences
User otmUserMenus
otmNickname
otmPassword

Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved. 2-1
Figure 1 shows the Oracle Transportation Management-specific attributes under Oracle Directory Manager.

Figure 1 - Oracle Transportation Management Extension Attributes for OID

Figure 2 shows the Oracle Transportation Management-specific auxiliary class under Oracle Directory Manager.

Figure 2 - Oracle Transportation Management Auxiliary Class for OIM

Copyright © 2009, 2013, Oracle. All rights reserved. 2-3

OAM Identity System Modifications
Adding the Oracle Transportation Management User Class to the Identity Server
Perform the following steps to incorporate the otmUser object class into OAM’s Identity Server:

1. Restart the Identity Server.

2. Bring up the Identity System Console
(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi) , logging in as the
Master Administrator.
3. Select Common Configuration.
4. Select Object Classes.
5. Click Add.
6. Choose a class type of Person and search for the otmUser class in the Object Class list.
Note: Once the otmUser class is added to OAM, it cannot be removed.

7. Click Save. You will be redirected to the Configure Attributes page.

8. Select otmPassword and change its display type to Password, its text size to 128 and its text
length to 30. Click Save.
9. Click Done.
Adding Oracle Transportation Management User Information to User Manager
Displays
Perform the following steps to add Oracle Transportation Management user attributes to the OAM user
profile:

1. Bring up the Identity System Console

(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi), logging in as the
Master Administrator.
2. Select User Manager Configuration.
3. Select Tabs.
4. Select the Employees tab.
5. Click Modify.
6. Select the otmUser class in the Object Class(es) list.
7. Click Save. You will be redirected to the Modify Attributes page. If not, select Modify
Attributes.
8. Select each otm attribute and change the Display Name to specify a better description for an
end user. E.g., Set the display name for otmUserGid to OTM User ID. Make sure to save each
change before moving to the next attribute.
Making Oracle Transportation Management User Information Searchable
Perform the following steps to a user to search for Oracle Transportation Management user
information. This allows EXEC actions for Oracle Transportation Management to query Oracle
Transportation Management attributes from the identity server.

1. Bring up the Identity System Console

(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi), logging in as the
Master Administrator.
2. Select User Manager Configuration.

2-4 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
 3. Select Tabs.
4. Select the Employees tab.
5. Press the View Object Profile button.
6. Select Configure Panels.
7. Press the Create button.
8. Add a panel OTM containing all six Oracle Transportation Management attributes. You may
want to order the attributes by likely frequency of use: OTM User ID, OTM User Role, OTM
User Preferences, OTM User Menus, OTM Nickname, OTM Password.
9. Add an additional attribute for Manager. Only managers can invoke workflows to modify Oracle
Transporation Management attributes so you must specify a valid manager for each Oracle
Transportation Management user.
10. Select the Panel Information Is Complete check box.
11. Click Save.
12. Go back to the View Tab page for Employees.
13. Select the View Search Attributes button. Confirm the six Oracle Transportation
Management attributes are searchable.
Adding Oracle Transportation Management User Information to Search Results
If you want Oracle Transportation Management user information to be displayed on user search
results, perform the following steps:

1. Bring up the Identity System Console

(http://<server>/identity/oblix/apps/admin/bin/front_page_admin.cgi), logging in as the
Master Administrator.
2. Select User Manager Configuration.
3. Select Tabs.
4. Select the Employees tab.
5. Press the View Search Results Attributes button.
6. Press the Modify button.
7. Add Oracle Transportation Management attributes as needed.
8. Click Save.
Setting Access Control on Oracle Transportation Management Attributes
Only administrators and managers should have read access to Oracle Transportation Management
attributes. Direct modify access should be reserved for administrators to force managers to use
workflows to change Oracle Transportation Management data (see the Adding Workflows section). To
set access control on Oracle Transportation Management attributes, perform the following steps:

1. Login to the User Manager as the Master Administrator and select the Configuration tab.
2. Select Attribute Access Control.
3. Select all attributes and assign their Read rights to Manager and Self.
4. Click Save.
5. Select the all but the six Oracle Transportation Management attributes and assign their Modify
rights to Manager.
6. Click Save.
7. Confirm no role is assigned modify rights for the Oracle Transportation Management
attributes.

Copyright © 2009, 2013, Oracle. All rights reserved. 2-5

Adding Workflows
All user information should be controlled via workflows. These workflows provide steps to validate
changes to Oracle Transportation Management user attributes and forward accepted changes to Oracle
Transportation Management. This ensures that OAM and Oracle Transportation Management user
information is synchronized.

Note that the following sections assume you have familiarity with creating basic and custom
workflows. Workflows should already be enabled for adding, modifying, and deactivating non-Oracle
Transportation Management users in your enterprise. An additional workflow must be enabled for
adding a group. Please consult the OAM Identity and Common Administration Guide for more
information.

The workflow examples provided in sections Adding Workflow: Create Oracle Transportation
Management User, Adding Workflow: Modify Oracle Transportation Management User, and Adding
Workflow: Delete Oracle Transportation Management User can serve as starting points for more
complex workflows requiring automated or human approval processes. They are provided as simple
examples for synchronizing Oracle Transportation Management with OAM in response to external
actions.

Adding Workflow: Create Oracle Transportation Management User

Add a workflow to support creation of Oracle Transportation Management users using the following
steps:

1. Create a Create User type workflow named Create OTM User.

2. Specify a target domain of OTM, matching the LDAP domain specified for OAM user
information.
3. Add the following workflow steps:
Step Previous Step Attributes Participants Notes
Requirement

Initiate Required fields for non- Anyone Select all Oracle

Oracle Transportation Transportation Management
Management users (e.g. attributes, select the
Full Name, Last Name) Properties button and set the
kind to Optional.
Manager
If not supporting an Oracle
If SSO, include Login Transportation Management
and User Password intranet, the otmNickname
can be Hidden.
otmUserGid
otmUserRole If you’re using SSO, you may
otmUserPreferences want to set otmPassword to
otmUserMenus hidden. This will use the
otmNickname default Oracle Transportation
otmPassword Management password in the
GL_USER table.

2-6 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Step Previous Step Attributes Participants Notes
Requirement

External 1:Initiate = True otmUserGid Select all Oracle

Action otmUserRole Transportation Management
otmUserPreferences attributes, select the
otmUserMenus Properties button and set the
otmNickname kind to Optional.
otmPassword

Enable 2:External Action If the External Action fails

= True due to a validation or
communications error, the
action returns an error
message to the OAM results
page and the action aborts
without creating the user.

4. Save and enable the workflow.

5. View the workflow, taking note of the obworkflowid. This will be used in the Linking Oracle
Transportation Management External Actions section.
Adding Workflow: Modify Oracle Transportation Management User

Add a workflow to support modification of Oracle Transportation Management user information using
the following steps:

1. Create a Change Attribute type workflow named Modify OTM User. Select otmUserGid as the
change attribute.
2. Add the following workflow steps:
Step Previous Step Attributes Participants Notes
Requirement

Request otmUserGid Manager Select all Oracle

otmUserRole Transportation Management
otmUserPreferences attributes except for
otmUserMenus otmUserGid, select the
otmNickname Properties button and set the
otmPassword kind to Optional.

If not supporting an Oracle

Transportation Management
intranet, the otmNickname
can be Hidden.

If you’re using SSO, you may

want to set otmPassword to
hidden. This will use the
default Oracle Transportation
Management password in the
GL_USER table.

Copyright © 2009, 2013, Oracle. All rights reserved. 2-7

Step Previous Step Attributes Participants Notes
Requirement

External 1:Request = otmUserGid Select all Oracle

Action True otmUserRole Transportation Management
otmUserPreferences attributes except for
otmUserMenus otmUserGid, select the
otmNickname Properties button and set the
otmPassword kind to Optional.

Commit 2:External Action If the External Action fails due

= True to a validation or
communications error, the
action returns an error
message to the OAM results
page and the action aborts
without committing the user
modification.

3. Save and enable the workflow.

4. View the workflow, taking note of the obworkflowid. This will be used in the Linking Oracle
Transportation Management External Actions section.
Adding Workflow: Delete Oracle Transportation Management User

Add a workflow to support removal of Oracle Transportation Management users using the following
steps:

5. Create a Deactivate User type workflow named Delete OTM User.

6. Add the following workflow steps:
Step Previous Step Attributes Participants Notes
Requirement

Initiate otmUserGid Manager

External 1:Initiate = True otmUserGid Select all Oracle Transportation

Action otmUserRole Management attributes, select
otmUserPreferences the Properties button and set
otmUserMenus the kind to Optional.
otmNickname
otmPassword

Delete 2:External Action If the External Action fails due

= True to a validation or
communications error, the
action returns an error message
to the OAM results page and the
action aborts without deleting
the user.

7. Save and enable the workflow.

8. View the workflow, taking note of the obworkflowid. This will be used in the Linking Oracle
Transportation Management External Actions section.

2-8 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Linking Oracle Transportation Management External Actions

OAM communicates with Oracle Transportation Management via two servlets running on an Oracle
Transportation Management web server:

 a validation servlet, to verify Oracle Transportation Management attribute data exists in the
Oracle Transportation Management schema
 an integration servlet, to create/update/delete Oracle Transportation Management users
Three external actions, written in Java, are provided to implement the external actions from the OAM
workflows to these Oracle Transportation Management servlets. To install these actions:

1. Make sure a Java Run-Time Environment (JRE) is installed on the identity server.
2. Create a directory on your identity server for the Oracle Transportation Management external
actions. We recommend:

<OAM Identity Server Installation Directory>/oblix/apps/otm

This will be referred to as the OTM Apps Directory.

3. Copy the following files from the OAMExternalActions directory under your Oracle
Transportation Management installation to the Oracle Transportation Management Apps
Directory:
OnOTMUserAdd.jar
OnOTMUserChange.jar
OnOTMUserDelete.jar
xercesImpl.jar

4. Edit the oblixpppcatalog.lst file in the <OAM Identity Server Installation

Directory>/oblix/apps/common/bin directory. Add the following lines:
# Create OTM User
<Create ID>_2_externalaction;exec;;<JRE Directory>/java.exe;-jar <OTM Apps
Directory>/OnOTMUserAdd.jar <args>
# Update OTM User
<Update ID>_2_externalaction;exec;;<JRE Directory>/java.exe;-jar <OTM Apps
Directory>/OnOTMUserChange.jar <args>
# Change User Profile Attribute
userservcenter_inetOrgPerson_onchange;exec;;<JRE Directory>/java.exe;-jar
<OTM Apps Directory>/OnOTMUserChange.jar <args>
# Delete OTM User
<Delete ID>_2_externalaction;exec;;<JRE Directory>/java.exe;-jar <OTM Apps
Directory>/OnOTMUserChange.jar <args>

where:

 Create ID = the Create OTM User obworkflowid from the Adding Workflow: Create Oracle
Transportation Management User section.
 Update ID = the Update OTM User obworkflowid from the Adding Workflow: Modify Oracle
Transportation Management User section.
 Delete ID = the Delete OTM User obworkflowid from the Adding Workflow: Delete Oracle
Transportation Management User section.
 JRE Directory = a Java bin directory, installed on the identity server
 OTM Apps Directory = the directory created in Step 2, holding Oracle Transportation
Management external actions

Copyright © 2009, 2013, Oracle. All rights reserved. 2-9

  Args = command line arguments for the Oracle Transportation Management external actions.
Each Oracle Transportation Management action takes the same set of arguments. The
following table describes these arguments in detail:
Argument Description Required/Optional Example

-server The Oracle Required -server http://otmWeb-

<protocol//server:port> Transportation 01:8080
Management web
server to use for
validation and
integration.

-user <OTM user> The Oracle Required -user DBA.ADMIN

Transportation
Management
integration user. This
user must have rights
to add/modify/delete
all Oracle
Transportation
Management users
possibly sent from
OAM.

Note: Managers
cannot have direct
attribute modify
rights due to
workflow constraints
so the integration
should use a master
administrator or a
particular user with
assigned rights.

-password <password> The Oracle Required -password CHANGEME

Transportation
Management
integration password.

-email <email address> If the Oracle Optional -email

Transportation john.doe@oracle.com
Management
integration fails, this
email address
receives an Oracle
Transportation
Management
Transmission Error
report.

2-10 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Argument Description Required/Optional Example

-oamServer The OAM Identity web Required for Update -oamServer

<protocol//server:port> server to use for user OTM User http://oamIdentity:80
queries. This is used
to retrieve old values
when receiving new
values from Update
OTM User workflow.

-oamUser <OAM user> The OAM user for the Required for Update -oamUser orcladmin
query. This user must OTM User
have read access to
all Oracle
Transportation
Management
attributes.

-oamPwd <OAM The OAM password. Required for Update -oamPwd mypassword
Password> OTM User

-log <log file> Specifies a log file on Optional -log

the Identity Server to c:/log/OAMtoOTM.log
track OAM to Oracle
Transportation
Management
communication.

-debug Turns on debugging. Optional -debug

Intermediate
communication files
are written to
c:/temp on the
Identity server.

Copyright © 2009, 2013, Oracle. All rights reserved. 2-11

Argument Description Required/Optional Example

-manyToOneModel Allows many-to-one Optional -manyToOneModel

mapping between
OAM users and Oracle
Transportation
Management users.
Generally, each
Oracle Transportation
Management user
should map to at
most one OAM user.
This allows Oracle
Transportation
Management
credentials and
access to be uniquely
associated with an
OAM user. There may
be cases where
mapping many OAM
users to map to the
same Oracle
Transportation
Management user
increases scalability.

-retainOTMUsers By default, Oracle Optional -retainOTMUsers

Transportation
Management deletes
an Oracle
Transportation
Management user if
the corresponding
OAM user is deleted
or has its otmUserGid
cleared. This option
suppresses this
behavior. Note that if
manyToOneModel is
set, retainOTMUsers
is automatically set
since multiple OAM
users may be
associated with the
same Oracle
Transportation
Management user.

An example oblixpppcatalog.lst file is provided in the OAMExternalActions directory under your

Oracle Transportation Management installation.

5. Restart your identity server.

2-12 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
Oracle Transportation Management Property Modifications
When user attributes are changed in Oracle Transportation Management, OAM must be notified of the
changes. In general, Oracle Transportation Management uses Identity XML to:

 Lookup all OAM users referencing the modified Oracle Transportation Management user. These
are users with a matching otmUserGid.
 Update the affected attributes on the OAM user
If the Oracle Transportation Management user is deleted, all Oracle Transportation Management
attributes are cleared on associated OAM users. If an Oracle Transportation Management user is
added, OAM users are searched for matching otmUserGid and all there Oracle Transportation
Management attributes are synchronized with current values.3

The following Oracle Transportation Management properties control communication with OAM:

glog.security.oam.server=<WebPass host>
glog.security.oam.user=<OAM user>
glog.security.oam.password=<OAM password>

Note: The OAM user must have modify rights to all Oracle Transportation Management attributes on
all affected OAM users.

To monitor updates from Oracle Transportation Management to OAM, enable the Oracle Transportation
Management log ID: OAM.

3
This is unlikely to occur since workflows fail if Oracle Transportation Management/OAM
communication paths are down.

Copyright © 2009, 2013, Oracle. All rights reserved. 2-13

3. Single Sign-on Setup
OAM Access System Modifications
To integrate a single sign-on architecture with Oracle Transportation Management, the access server
needs to associate a policy domain with the Oracle Transportation Management resources.

1. Login to the Access Manager as the Master Administrator and select the Policy Manager tab.
2. Create a new Policy Domain named OTM.
3. Add an http resource type with a URL prefix of /GC3. This will control all access to Oracle
Transportation Management servlets.
4. Create an authorization rule named OTM Authorization. The rule should have a single
success action, returning a HEADERVAR type variable named HTTP_OTM_UID for return attribute
otmUserGid. This forwards the Oracle Transportation Management User GID attribute to
Oracle Transportation Management on successful authorization. Make sure the rule allows
access to the Any one role and enable the rule.
5. Create a default authentication rule named OTM Authentication. Typically, this uses the
basic over LDAP authentication scheme. If you did not configure standard authentication when
installing the access server, consult the OAM Access Administration Guide. The authentication
rule should have a single success action, returning a HEADERVAR type variable named
HTTP_OTM_UID for return attribute otmUserGid. This forward the Oracle Transportation
Management User GID attribute to Oracle Transportation Management on successful
authentication.
6. Create a default authorization expression named OTM Authorization. This should simply
select the OTM Authorization rule.
7. Create a policy named OTM Policy. This policy should apply to http resources with the /GC3
prefix and cover operations GET, POST, PUT and HEAD.
8. Save and enable the Oracle Transportation Management policy domain.
9. Use Access Tester to verify your policy domain. Specify a URL of http://localhost/GC3/glog,
an operation of GET, show all users with show matching Policy and show matching Rule.
The resulting test should show all users with a policy of OTM Policy, a rule of OTM
Authorization and authorized. E.g.

Copyright © 2009, 2013, Oracle. All rights reserved. 3-1

OAM Web Server Modifications
Please refer to the OAM Installation Guide for steps on configuring single sign-on with WebGate.

Oracle Transportation Management Property Modifications

To respect header variables sent by OAM authentication and authorization success actions, the Oracle
Transportation Management web server must include the following properties:

glog.security.sso=true
glog.security.sso.appUidName=HTTP_OTM_UID
glog.security.sso.appUidLocation=3

Once SSO is activated, Oracle Transportation Management disables its logout button by default. You
can control the display and affect of the logout button with the following optional properties:

glog.security.sso.logoutButton=true
glog.security.sso.logoutUrl=<URL for OAM logout>

E.g., a relative path to the English logout page is: ../access/oblix/lang/en-us/logout.html.

To support an Oracle Transportation Management intranet (see the General Architecture section),
users with direct access to the Oracle Transportation Management web server may circumvent OAM
authentication and authorization, logging directly into Oracle Transportation Management. These users
always see a logout button and are logged out from Oracle Transportation Management (not OAM) if it
is selected.

Configure FTI/GTI with OAM (SSO)

This section provides the steps to configure single sign-on for Fusion Transportation Intelligence (FTI)
/ Global Trade Intelligence (GTI) using Oracle Access Manager (OAM), assuming the users of FTI/GTI
are from Oracle Internet Directory (OID). The groups are assigned to these users by means of an
external table GL_USER.

Current Security Mechanism

FTI/GTI uses external table authentication, in which the users and encrypted passwords are saved in a
GL_USER table in the database and OBIEE authenticates against them. Access through OTM is done by
passing the user name and session ID via URL parameters in the OBIEE URL link and authenticating
against the GL_USER_AUTH table.

Prerequisites to use single sign-on (SSO) for FTI/GTI

 Oracle Fusion Transportation Intelligence (FTI) or Oracle Global Trade Intelligence (GTI) is
deployed.
 Oracle Internet Directory (OID) is installed.
 Oracle Access Manager (OAM) is installed and configured with OID.
 Only user authentication is to be done by OID. The groups for the user are retrieved from an
external table in the database.
Configuration Process
1. Install Oracle Fusion Middleware 11g Web Tier (11.1.1.5 version or later).
 This will install Oracle HTTP Server (OHS).

3-2 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
  To install this, a WebLogic server should be up and running. So install OHS on the
WebLogic server used for OBIEE.
The installation steps can be found in: O RACLE ® F USION MIDDLEWARE I NSTALLATION G UIDE
FOR O RACLE W EB T IER 11 G R ELEASE 1 (11.1.1).

2. Configure OHS to access OBIEE.

a. Configure mod_wl_ohs in OHS to forward requests to OBIEE Managed Server
(bi_server1). Modify mod_wl_ohs.conf file to give the WebLogic server details and
OBIEE as shown below.

The file is located in

[OHS_HOME]\instances\instance\config\OHS\ohs1\mod_wl_ohs.conf:
<IfModule weblogic_module>
WebLogicHost <host_name>.com
WebLogicPort 7001
Debug ON
</IfModule>

<Location /analytics>
SetHandler weblogic-handler
</Location>

b. Restart OHS.
c. Test if you can access OBIEE via OHS server.

So when URL with ohs-machine:ohs-port/analytics is accessed, the browser will check

for authentication in OAM and then redirect the path to OBIEE analytics.
3. Install WebGate.
Detailed installation steps for WebGate can be found in O RACLE ® FUSION MIDDLEWARE
INSTALLATION GUIDE FOR O RACLE I DENTITY M ANAGEMENT 11 G R ELEASE 1 in section 23.3
INSTALLING O RACLE HTTP SERVER 11 G W EBGATE FOR O RACLE ACCESS MANAGER.

4. Once Webgate is installed, deploy WebGate into OHS as follows:

a. Go to the <WEBGATE11G_HOME>\webgate\ohs\tools folder.
b. For Windows, run >deployWebGateInstance.bat -w
<OHS_HOME>\instances\instance\config\OHS\otm63 -oh <WEBGATE11G_HOME>
c. For Linux, run >deployWebGateInstance.sh -w
<OHS_HOME>\instances\instance\config\OHS\otm63 -oh <WEBGATE11G_HOME>
d. Add necessary WebGate configuration information to the OSH config files:
i. Add [OHS_HOME]\lib to environmental variable path for this machine.
ii. Go to the <WEBGATE11G_HOME>\webgate\ohs\tools\ folder and locate the
EditHttpConf file.
iii. For Windows, run >EditHttpConf.exe -w
[OHS_HOME]instances\instance\conf\OHS\ohs1 -oh <WEBGATE11G_HOME>.
iv. For Unix, run >EditHttpConf -w
[OHS_HOME]instances\instance\conf\OHS\ohs1 -oh <WEBGATE11G_HOME>.
e. Verify that the following exist:
 [OHS_HOME]\instances\instance\config\OHS\ohs1\webgate.conf
 [OHS_HOME]\instances\instance\config\OHS\ohs1\http.conf.ORIG
 [OHS_HOME]\instances\instance\config\OHS\ohs1\http.conf file coantains
[OHS_HOME]\instances\instance\config\OHS\ohs1\webgate.conf as its last
line.

Copyright © 2009, 2013, Oracle. All rights reserved. 3-3

 f. Restart OHS.
5. Create instance of WebGate in OAM 11g as follows:
WebGate is web server plug-in which intercepts user request and communicates to OAM
server.

a. Register WebGate11G with OAM server as follows:

i. Go to the <OAM_HOME>\oam\server\rreg\input folder
ii. Edit the OAM11GRequest.xml files as follows:
<OAM11GRegRequest>
<serverAddress>http://<oam_host>.com:<oam_port></serverAddress>
<hostIdentifier>OBIEE_HostId11GLinux</hostIdentifier>
<agentName>OBIEE_OAM11GLinux</agentName>
<agentBaseUrl>http://<ohs_host>.com:<ohs_port></agentBaseUrl>
<applicationDomain>OBIEE_OAM11GLinux</applicationDomain>
<userDefinedParameters>
<userDefinedParam>
<name>RetainDownstreamPostData</name>
<value>true</value>
</userDefinedParam>
</userDefinedParameters>
</OAM11GRegRequest>

iii. Go to the <OAM_home>\oam\server\rreg\bin\ folder

iv. Edit oamreg.bat as follows:
1. REM Change the following value of OAM_REG_HOME to point to correct
rreg folder location, if not already set:
set OAM_REG_HOME="[OAM_HOME]\oam\server\rreg "

2. REM JDK_HOME points to JAVA_HOME env variable. Make sure that

JAVA_HOME is set in your environment:
set JDK_HOME=%JAVA_HOME%
set JAVA_HOME variable pointing to JDK_HOME

v. Windows: At a command prompt, enter the following:

>cd [OAM_HOME]\oam\server\rreg
bin\oamreg.bat inband input\OAM11gRequest.xml

vi. Linux: At a command prompt, enter the following

>cd [OAM_HOME]\oam\server\rreg
bin\oamreg.bat inband input\OAM11gRequest.xml

Note: For the agent, enter the username of weblogic and appropriate password for
that weblogic user.

vii. Set the response OAM_REMOTE_USER as type header in OAM console.

viii. Go to <OAM_HOME>\oam\server\rreg and locate the following files:
 ObAccessClient.xml (storing WebGate Config parameters)
 cwallet.sso
ix. Copy above files to the OHS installed machine in the following location:
<OHS_HOME>/instances/instance1/config/OHS/ohs1/webgate/config/.
x. Restart OAM.
xi. Restart OHS.

3-4 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.
6. Integrate OBIEE 11g with OID for user repository.
By default OBIEE 11g authenticates against WebLogic’s embedded LDAP server using the
Default Authentication Provider.

a. You must add an additional Authentication Provider of type OID in the WebLogic
Security Realm in weblogic Administration Console.
b. Set the control flag of that authentication provider to SUFFICIENT.
The control flags available are:

REQUIRED — The Authentication provider is always called, and the user must always
pass its authentication test.

SUFFICIENT — If the user passes the authentication test of the Authentication

provider, no other Authentication providers are executed (except Authentication
providers with the JAAS Control Flag set to REQUIRED) because the user was
sufficiently authenticated.

REQUISITE — If the user passes the authentication test of this Authentication

provider, other providers are executed but can fail (except for Authentication providers
with the JAAS Control Flag set to REQUIRED).

OPTIONAL — The user is allowed to pass or fail the authentication test of this
Authentication provider. However, if all Authentication providers configured in a
security realm have the JAAS Control Flag set to OPTIONAL, the user must pass the
authentication test of one of the configured providers.

c. Place this additional authentication provider on the top of the list.

d. Make sure to keep the Default WebLogic Authentication Provider to allow the
BISystemuser to authenticate the BI server against WebLogic and for other internal
communications.
Note: The configuration steps can be found in O RACLE ® FUSION MIDDLEWARE S ECURITY
GUIDE FOR O RACLE BUSINESS I NTELLIGENCE E NTERPRISE EDITION in section 3 USING
ALTERNATIVE AUTHENTICATION P ROVIDERS and in sub-section 3.2.3.1 C ONFIGURING
O RACLE BUSINESS I NTELLIGENCE TO USE ORACLE I NTERNET DIRECTORY AS THE
AUTHENTICATION P ROVIDER .

7. In WebLogic enterprise manager, add the property virtualize and set the value to true.

This property allows multiple authentication providers to be configured for OBIEE.

Note: The configuration steps can be found in O RACLE ® FUSION MIDDLEWARE S ECURITY
GUIDE FOR O RACLE BUSINESS I NTELLIGENCE E NTERPRISE EDITION in section 3 USING
ALTERNATIVE AUTHENTICATION P ROVIDERS and sub-section 3.2.3.3 C ONFIGURING O RACLE
BUSINESS INTELLIGENCE TO USE MULTIPLE AUTHENTICATION PROVIDERS .

8. Regenerate GUID’s in Oracle BI.

GUID regeneration is the process of regenerating any metadata references to user GUIDs in
the Oracle BI repository and Oracle BI Presentation Catalog. During the GUID regeneration
process, each user name is looked up in the identity store. Then, all metadata references to
the GUID associated with that user name are replaced with the GUID in the identity store.

Note: The configuration steps can be found in O RACLE ® FUSION MIDDLEWARE S ECURITY
GUIDE FOR O RACLE BUSINESS I NTELLIGENCE E NTERPRISE EDITION in section 3 USING
ALTERNATIVE AUTHENTICATION P ROVIDERS and in sub-section 3.2.7 R EGENERATING USER
GUIDS.

Copyright © 2009, 2013, Oracle. All rights reserved. 3-5

 9. Configure OAMIdentityAsserter as a new security service provider for WebLogic.
a. Add another authentication provider in WebLogic administration console of type
OAMIdentityAsserter.
b. Configure OAM_REMOTE_USER as response header in the OAMIdentityAsserter
authentication provider.
c. Set the control flag of this authentication provider to SUFFICIENT.
d. Move this authentication provider on the top of the list so that the OID authentication
provider appears second top in the list of authentication providers.
Note: The detailed steps are given in O RACLE ® FUSION MIDDLEWARE SECURITY GUIDE FOR
O RACLE BUSINESS I NTELLIGENCE E NTERPRISE EDITION 11 G R ELEASE 1 (11.1.1) in section
4 ENABLING SSO A UTHENTICATION and in sub-section 4.4.2 CONFIGURING O RACLE ACCESS
MANAGER AS A N EW I DENTITY ASSERTER FOR ORACLE W EBLOGIC SERVER.

10. Enable OBIEE to use SSO.

a. In the WebLogic enterprise manager, navigate to Business Intelligence >
Coreapplication > security.
b. Enable SSO by choosing Oracle Access Manager.
Note: The detailed steps are given in O RACLE ® FUSION MIDDLEWARE SECURITY GUIDE FOR
O RACLE BUSINESS I NTELLIGENCE E NTERPRISE EDITION 11 G R ELEASE 1 (11.1.1) in section
4 ENABLING SSO A UTHENTICATION and in sub-section 4.6 USING F USION MIDDLEWARE
CONTROL TO ENABLE SSO AUTHENTICATION .

3-6 Copyright © 2009, 2014, Oracle and/or its affiliates. All rights reserved.