Oracle SSO 10g With FMW OHS 11g Proxy For OC4J 10g And FMW 11g WebLogic Applications (Upgrade Transition Phase For Mixed 10g/11g Topology) (Doc ID 1368613.1)

Last updated on MARCH 08, 2017

Applies to:

Oracle Application Server Single Sign-On - Version 10.1.4 to 10.1.4 [Release 10gR3]
Information in this document applies to any platform.
***Checked for relevance on 03-MAR-2016***

Goal

How to configure Oracle HTTP Server (OHS) 11g To Serve mod_osso Protected Requests For Applications Deployed On Both FMW 11g WebLogic And AS 10g OC4J (Transition Stage While Upgrading Applications To FMW 11g).

Detailed requirement:

An Oracle Portal 10g site is deployed with links to custom applications deployed on Oracle Application Server (AS) 10g Oracle Containers for Java (OC4J), all accessed via a single application virtualhost e.g. http://app.oracle.com. Portal and the OC4J Java applications are integrated with Oracle Single Sign On (OSSO) 10g for authentication.

Now the upgrade of the application tiers to Fusion MiddleWare (FMW) 11g is underway, requiring:
a) Upgrade of Oracle Portal 10g to Oracle FMW Portal 11g.
b) Migration of the custom OC4J-deployed applications to run on WebLogic Server using JRE 6.

The latter requires both code and deployment change so upgrade of the whole site to FMW 11g cannot be performed in a single step/outage period. A transition phase is required where some applications will be running on FMW 11g WebLogic Server and others will still be running on Oracle AS 10g OC4J.

It is essential that single sign-on is still functional to all the applications during this transitional phase, whether the application is running on WebLogic or OC4J.

For integration of applications deployed on FMW 11g WebLogic Server with OSSO 10g there is a requirement to route application requests via an OHS 11g installation with mod_osso and mod_wl_ohs configured. mod_osso handles the SSO functionality and mod_wl_ohs ensures that the request is routed to the appropriate back end WebLogic server to serve the application request.

When Portal is upgraded to 11g, the webserver handling the Portal application requests must be OHS 11g.

The following topology is therefore being considered as a transition state for phased upgrade so that first Portal will be upgraded to 11g and then each of the OC4J applications migrated to FMW 11g WebLogic Server/JRE 6.


However, attempts to test this topology fail because after authentication SSO redirects back http://app.oracle.com/osso_login_success which is a URL without application context so cannot be differentiated between OHS 11g and OHS 10g:
=> OHS 11g processes the /osso_login_success request and creates the OHS-ID cookie.
=> OHS 11g proxied the OC4J 10g application request to backend OHS 10g including OHS-ID cookie.
=> mod_osso on the AS 10g application tier receives this OHS-ID cookie but cannot decrypt it because mod_osso 10g cannot decrypt OHS-ID cookies created by mod_osso 11g and vice versa.
=> mod_osso on the AS 10g tier redirects the user back to the SSO Server for authentication
=> the user is already authenticated so SSO Server redirects back to /osso_login_success
=> looping occurs.


Note that this issue is specific to the case where both FMW 11g and AS 10g mod_osso protected applications are accessed using a single application (virtual) hostname. Where the hostnames used to access the 11g and 10g applications are different this requirement and problem will not occur.

Solution

Sign In with your My Oracle Support account

Don't have a My Oracle Support account? Click to get started

My Oracle Support provides customers with access to over a
Million Knowledge Articles and hundreds of Community platforms