A long story of products integration continues in 12c.
We've seen how Oracle Forms 11g can be integrated with Oracle Access Manager in A Case Study - Setting Up Oracle Forms 11g with OAM (Oracle Access Manager)
Now, Oracle Forms 12c can be protected by Oracle Access Managed (OAM) 11gR2 patch set 3.
Oracle Access Manager 11g is a Java Platform, Enterprise Edition (Java EE) - based enterprise - level security application that provides restricted access to confidential information and centralized authentication and authorization services.
Oracle Access Manager 11g, a component of Oracle Fusion Middleware 11g, is a Single Sign-On solution for authentication and authorization.
Authentication servers enable an application to authenticate users by means of a shared authentication token or authentication authority. That means that a user authenticated for one application is automatically authenticated for all other applications within the same authentication domain.
Forms applications use a single sign-on solution only for obtaining database connection information from Oracle Internet Directory or Oracle Platforms Security Services (OPSS).
Once the database information is obtained, interaction with the authentication server no longer occurs.
Exiting a Forms application does not perform a single sign-on logout unless the application has been coded with one of the SSO logout features introduced in Oracle Forms 12c.
Conversely, logging out of a single sign-on session does not terminate an active Forms session unless the application has been coded with one of the SSO logout features introduced
in Oracle Forms 12c. The database session exists until the Forms Runtime (for example, frmweb.exe) on the server terminates, usually by explicitly exiting the form.
As a prerequisite of the integration, following installations have to be complete:
- Oracle Access Manager 11gR2 patch set 3
- Oracle Forms 12c
- If Oracle Internet Directory is used as an Identity Store, install Oracle Internet Directory and integrate it with OAM,
- Webgate integrated with the HTTP Server fronting Oracle Forms 12c
Next, the integration is separated in sections as follows:
I. Integrate Webtier HTTP Server with Oracle Forms
If a remote HTTP Server is used, an additional step of integration with Forms has to be completed by following the steps in 3.2.3.2 Configuring OHS on a Separate Host.
After the Webtier HTTP Server is restarted, the integration can be tested through URL: http://hostname:port/forms/frmservlet? , where hostname is the hostname where the Webtier HTTP Server is installed and the port is the Webtier HTTP Server listen port. Once Forms is accessible this way, the integration can proceed.
If the HTTP Server that comes with the Forms installation is used, only the accessibility test of Forms through HTTP Server is needed.
II. Install and configure Oracle HTTP Server Webgate for OAM
There are two ways to integrate the HTTP Server with Webgate.
1. Manually: follow the steps from B.2 Configuring Oracle HTTP Server 12c WebGate.
2. Automatically: Run the E.1 Oracle Forms Configuration Helper Script
III. Select the partner application registration approach
A. Manual Method - Use OAM Admin Console
1. Log in to the OAM console. - http://hostname:port/oamconsole
2. On the Welcome page, click on New OAM 11g Webgate
3. Provide all the details such as the Base URL, which should be http://hostname:port , where hostname is the hostname of the Webtier HTTP Server machine and the port is the Webtier HTTP Server listen port. Ensure that the Auto Create Policies check box is checked.
While creating the webgate agent, add the following URL to the Protected Resource List:
/forms/frmservlet?*oamMode=true*
The parameter values for the Webgate agent will be created on the OAM machine in DOMAIN_HOME/output/<agent name>. There will be two files created, cwallet.sso and ObAccessClient.xml. These files need to be copied to the Webtier machine in WEBTIER_INSTANCE/config/OHS/ohs1/webgate/config. The cwallet.sso file needs to be copied in BINARY mode and the ObAccessClient.xml file needs to be copied in TEXT mode (for UNIX systems). After copying the files a restart of the Webtier HTTP Server is necessary.
B. Automatically using the Forms Configuration Helper Script
a. Download RREG.tar located on the Oracle Access Manager Server in OAM_HOME/oam/server/rreg/client and untar under the Oracle FMW 12c $FMW_HOME directory.
b. Set the MW_HOME and JAVA_HOME environment variables.
Example:
UNIX: export MW_HOME=/u01/Oracle/Middleware/Oracle_Home
export JAVA_HOME=/u01/Oracle/jdk1.8.0_65
Windows: set MW_HOME=D:\Oracle\Middleware\Oracle_Home
set JAVA_HOME=D:\Oracle\jdk1.8.0_65
c. Run the script:
./frmconfighelper.sh enable_sso OAM_hostname OAM_adminport Forms_hostname httpserver_port Forms_DOMAINHOME httpserver_instance
where OAM_hostname is the hostname where OAM is installed, OAM_adminport is the Admin server port for OAM, Forms_hostname is the hostname where Forms is installed, httpserver_port is the listen port of the HTTP Server that is used to access Forms, Forms_DOMAINHOME is the Forms domain home and httpserver_instance is the name of the instance of the HTTP Server.
Note: If running the frmconfighelper.sh script, the webgate agent will be created automatically and all the necessary files will be copied to the HTTP Server instance, so no extra manual steps are required.
After running the script, a restart of the environment is required: Node Manager, Admin server, WLS_FORMS and HTTP Server (in this order)
C. Choose the Forms Identity Store type for storing Resource Access descriptors.
Available options:
- Oracle Platform Security Services (OPSS) - Oracle Platform Security Services (OPSS) is configured as the default Forms Identity Store, so no action is required.
- Oracle Internet Directory (OID) - The user opted to use .
If choosing Oracle Internet Directory (OID) as the Forms Identity Store, proceed with accessing the Associate/Disassociate page:
- Start Fusion Middleware Control.
- Navigate to the Forms Home page.
- From the Forms menu, select Forms Runtime LDAP Associations.
- The Forms Runtime LDAP Associations page is displayed.
- Enter the Oracle Internet Directory Host details:
| Parameter | Description |
| OID Host | Select the Oracle Internet Directory Host from the list or select New Oracle Internet Directory (OID) host to add new host details. |
| New OID Host | Host name of the Oracle Internet Directory server. This field is enabled if you have selected to add new Oracle Internet Directory (OID) Host. |
| New OID Port | Port number on which Oracle Internet Directory is listening. This field is enabled if you have selected to add new Oracle Internet Directory Host. |
| Username | Oracle Internet Directory Administrator username |
| Password | Oracle Internet Directory Administrator password |
| Use SSL Port | Select this box if the connection to the Oracle Internet Directory Host should use SSL (in which case the port number provided should be the SSL port). |
- Click Associate and restart WLS_FORMS managed server.
IV. Enable SSO for Forms applications in formsweb.cfg
In order to protect Forms applications via SSO, the formswerb.cfg file needs to be modified.
Using the recommended method of managing formsweb.cfg, open Fusion Middleware Control and enable single sign-on for an application:
- Start Fusion Middleware Control.
- Select Web Configuration from the Forms menu.
- Select the row that lists the configuration section for your application.
- In the Section region, select sso in the Show drop down list.
- In the Section region, select the row containing ssoMode.
- In the Value field, enter webgate or TRUE.
- Click Apply to update the formsweb.cfg file.