Thursday, June 07, 2007

Add a user to the JavaSSO

In AS 10.1.3.x Oracle came up with the JavaSSO. Seems to be (from a high level perspective) a poor man's version of the SSO from the AS 10.1.2.x.

Having said this it strikes me how little documentation is available for this feature.

But we're explorers, aren't we?

JavaSSO is based on a file based security provider. The two main files are:
- jazn.xml
- system-jazn-data.xml

Both exist in the $OH/j2ee/ directory. This means that if you have more than one OC4J instance you need to edit both.

The most basic task is to add a user. You can - of course try to do this by editing the xml files, but luckily Oracle provides the jazn.jar tool.

Make sure that you use the correct java executable and start it:

java -jar jazn.jar -adduser jazn.com andreas welcome1

You will be asked for the AbstractLoginModule username (oc4jadmin) and its password.

Now we have a user but usually this has to be added to a role before it can do something useful:

java -jar jazn.jar -grantrole users jazn.com andreas

Now the user is added and we will prevent the ugly errors - such as:



4 comments:

Srikant said...

Actually JavaSSO works with any security provider, not just XML i.e., users in system-jazn-data.xml. That is where it differs from the more enterprisey Oracle SSO. You can configure Oracle provided LDAP security provider for OID or use any custom login module (say, something based on a database - try the DBTableOraDataSourceLoginModule).
Just make sure that JavaSSO and the partner application are both configured for the same login module.

Andreas said...

Yes, but I'm still struggeling to use OpenLDAP for that matter. It seems that the authorisation works but apparently Oracle uses some more group based entries in the LDAP before an application like the Wiki of WebCenter will work.

Jamie said...

Thanks for the very helpful post! You saved me some time.

Vidya said...

How can we create groups in jazn.com. This can be created from admin console in 10.1.2 but in 10.1.3 I am not able to see any provision for creating groups.