Oracle Application Express
Integration with IBM Tivoli Access Manager (TAM) SSO

This document describes the integration of Oracle Application Express (APEX) with IBM Tivoli Access Manager (TAM) SSO.

Requirements

Software Versions:

• Oracle Application Express 3.x
• IBM Tivoli Access Manager for e-business 4.1

Links

• AJAX techniques within a Tivoli Access Manager WebSEAL Environment

Configure IBM Tivoli Access Manager for e-business

• In IBM TAM, generate a Junction configuration for Oracle HTTP Server and its port (normally: 7777).
• It is important to consider the following parameters:
  • Setting the parameter “-c iv_user” ensures that the login name will be transfered to the Oracle HTTP Server and thus to Oracle Application Express.
  • Make sure that the computer name in parameter “-h” is the full-qualified DNS name of the Oracle HTTP Server. Oracle Application Express musst be reachable in your LAN using this computer name.
  • Add parameter “–v apex-servername.domain:port” if 80 is not the default port of the HTTP Server.
  • Add option “–j” to filter JavaScript correctly.
  • Make sure that parameter “script-filter” in configuration file webseald.conf is set to “yes”.

Configure Oracle Application Express (and HTTP Server)

The basis of the interaction between WebSEAL SSO server and Oracle is the CGI Environment variable HTTP_IV_USER, which stores the login name after a successful SSO authentication at the WebSEAL server.

Complete the following steps:

• Prior to integration with IBM TAM, ensure that APEX is up and running.
• Make sure that the CGI Environment variable HTTP_IV_USER will be passed to the PL/SQL module. Edit the configuration file dads.conf in directory $OHS_HOME/… /modplsql/conf (note: in some installations the relevant file is called marvel.conf) and add the following directive to the appropriate DAD for APEX:

  <Location /pls/apex>
  …
  PlsqlCGIEnvironmentList	HTTP_IV_USER
  …
  </Location>
  

  This change requires a restart of the Oracle HTTP Server.
• Check in the Apache configuration file httpd.conf, whether the parameter ServerName (the name of the computer on which Oracle HTTP Server runs) is set correctly and in lower case (especially on Windows 2000 systems). Possible changes will affect only after a restart of the Oracle HTTP Server.
• Create the PL/SQL function CUSTOM_PAGE_SENTRY (see below) in the underlying database schema of your APEX Workspace. This function will be used as Page Sentry Function of the new authentication schema (see next step). Don't forget to grant EXECUTE privileges to PUBLIC.

  CREATE OR REPLACE FUNCTION custom_page_sentry RETURN BOOLEAN
  AS
  --
  -- Page sentry using built-in session verification logic 
  -- and CGI Environment variable as the holder of the username. 
      l_current_sid number;
      l_tam_userid  varchar2(255) := upper(owa_util.get_cgi_env('HTTP_IV_USER'));
  BEGIN
      l_current_sid := wwv_flow_custom_auth_std.get_session_id_from_cookie;
  
      if wwv_flow_custom_auth_std.is_session_valid then
          wwv_flow.g_instance := l_current_sid;
          if l_tam_userid = wwv_flow_custom_auth_std.get_username then
              wwv_flow_custom_auth.define_user_session(
                  p_user=>l_tam_userid,
                  p_session_id=>l_current_sid);
              return true;
          else 
            -- username mismatch. 
            -- Unset the session cookie and 
            -- redirect back here to take other branch
              wwv_flow_custom_auth_std.logout(
                  p_this_flow=>v('APP_ID'),
                  p_next_flow_page_sess=>v('APP_ID')||':'||
                    nvl(v('APP_PAGE_ID'),0)||':'||l_current_sid);
              wwv_flow.g_unrecoverable_error := true; -- tell apex engine to quit
              return false;
          end if;
      else -- application session cookie not valid; we need a new apex session
          wwv_flow_custom_auth.define_user_session(
              p_user=>l_tam_userid,
              p_session_id=>wwv_flow_custom_auth.get_next_session_id);
          wwv_flow.g_unrecoverable_error := true; -- tell apex engine to quit
          --
          if owa_util.get_cgi_env('REQUEST_METHOD') = 'GET' then
              wwv_flow_custom_auth.remember_deep_link(
            p_url=>'f?'||wwv_flow_utilities.url_decode2(
              owa_util.get_cgi_env('QUERY_STRING')));
          else
              wwv_flow_custom_auth.remember_deep_link(p_url=>'f?p='||
                  to_char(wwv_flow.g_flow_id)||':'||
                  to_char(nvl(wwv_flow.g_flow_step_id,0))||':'||
                  to_char(wwv_flow.g_instance));
          end if;
          --
          -- register session in apex sessions table, set cookie, 
          -- redirect back
          wwv_flow_custom_auth_std.post_login( 
              p_uname     => l_tam_userid,
              p_flow_page => wwv_flow.g_flow_id||':'||
                nvl(wwv_flow.g_flow_step_id,0));
          return false;
      end if;
  END custom_page_sentry;
  /
  
  grant execute on custom_page_sentry to public
  /
  
  create public synonym custom_page_sentry for user.custom_page_sentry
  /
  
  

  This function accomplishes the session handling in APEX. It will be evaluated with each APEX page call. The purpose of this function is to guarantee that the user is already logged in at the WebSEAL SSO server. Only then the function will return TRUE and thus allows to access the APEX application.
  
  
• Create a new authentication schema "IBM Webseal SSO" in APEX Application Builder. The following settings are important; use the defaults for all other settings (thus leave them empty ;-)).

  Page Sentry Function:	return custom_page_sentry
  Session Not Valid URL:	http://[sso-servername.domain]/[junction-name]/pls/apex/f?p=&APP_ID.:1
  Credentials Verification Method:	Do not verify credentials
  Logout URL:	http://[sso-servername.domain]/pkmslogout

• Set the new authentication schema as current schema (Change Current)

Test SSO

To test the configuration, call your APEX application using the following URL:

• http://[sso-servername.domain]/[junction-name]/pls/apex/f?p=[apex-appid]
  e.g. http://sso.server.de/apex10/pls/apex/f?p=109

Even if the APEX application is called using the "original" URL http://apex-servername.de:7777/pls/apex/f?p=109, it will be automatically rerouted to the WebSEAL SSO server.