Saturday, November 10, 2007

SSO for Oracle Grid Control

Although there is a lot happening, it seems like I'm almost never pick myself together to write a post over here.

This time I'll share a solution I made up to create a Single Sign-On module for Oracle Grid Control. Well I assume you already know what Grid Control is all about but if you don't you can check it out on Oracle's web site.

Something like a year ago I first heard about this product and me and some of the people I'm working with agreed immediately that we should do a POC of it in our network... Few weeks later we had it installed and agents were deployed on over 50 servers. Out of few minor problems as with any other product we integrated into our IT environment it was working and pretty much kept its word.

A while has passed until we actually put it on our production environment and now we use the latest version (Grid Control R3).

All this time there was a very annoying process in this product – as you guessed – the logon screen that shows up each time you want to use the application.
I picked up the phone and asked Oracle support team if they have any SSO solution for Grid Control because there is no logic in asking a user his credentials if he already authenticated against a domain. Oracle's local support team said that there is no SSO solution and when I asked them why, they said that this product is supposed to serve a small group of admin users and because of that there is no excuse to create a SSO module for it. This is where I come into the picture and in the next paragraphs I will explain how I built SSO module for Oracle Grid Control.

Well the Management Server is a normal J2EE application running on a standard Oracle Application Server and as any J2EE application we could relative easily change it. The Idea was to add a MOD_NTLM to the HTTP Server (OAS is based on Apache) and change the logon module to use the remote user id and log him in with the right permissions.

So I'll start from the bottom – DB.
SSO in its basic level is all about logging someone with his domain authentication to our application and giving him the right permissions. This means that we need two tables:
First is a table with our local application users(id, username and password).
Second is a table which maps between a domain user to a local user/role(domain username, local user id from the first table).

On top of it we should create a simple page which take the remote username ,ask the DB which local user should he be logged on with, put this values into the form and add some java script that submits the logon form for the user.

Well this is a problem because I was counting that the logon page is some kind of a standard technology(JSP or servlet) but…
The logon screen is a .uix page (Oracle's tag based server side pages) called logon.uix located in the OC4J_EM directory with all other application files… There is no way I will learn another language for this I told myself and so I came up with the next idea:
I'll put some java script code in the uix (there is a place to put raw html in those pages) logon screen that opens up a http request to another page that is filtered with MOD_NTLM which will do the SSO logic (select the right user from our tables). This second page will be a JSP that will write back a XML response with this information and back to the uix java script that will parse it and put it into the username and password fields and submit the form (yeah you are right, this is known as AJAX).

This is it. SSO is actually very easy to create.
'Till next time,
Good luck!

*You should put some encryption on the first table because saving DB passwords in clear text is not recommended.

*I never tried it but this solution should work fine to be a SSO for Oracle Enterprise Manager (OMS) for any Oracle Forms Server, Oracle Discoverer or any other Oracle Application Server(R3 and above).