| Oracle® Access Manager Installation Guide 10g (10.1.4.2.0) Part Number B32412-01 |
|
|
View PDF |
| Oracle® Access Manager Installation Guide 10g (10.1.4.2.0) Part Number B32412-01 |
|
|
View PDF |
This chapter summarizes activities that you need to perform to configure Oracle Access Manager 10g (10.1.4.0.1) Web components (WebPass, Policy Manager, WebGate) with a Microsoft Internet Information Server (IIS Web server for Windows environments). Topics include:
ISAPI is an Internet Web server extension that Oracle Access Manager uses to identify Web server components (WebPass, Policy Manager, WebGate) that communicate with the IIS Web server. For example, you will need the following package to install the WebGate for IIS:
Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_WebPass
Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_Policy_Manager
Oracle_Access_Manager10_1_4_0_1_Win32_ISAPI_WebGate
Updating the IIS Web server configuration file is required when installing Oracle Access Manager Web components. With IIS Web servers, a configuration update involves updating the Web server directly by adding the ISAPI filter and creating extensions required by Oracle Access Manager. Orackle recommends that you update the IIS Web server configuration file automatically during Oracle Access Manager Web component installation. Automatic updates may take more than a minute. However, updating the IIS Web server configuration file manually takes longer and could introduce unintended errors.
For more guidelines, see:
The WebPass must be installed on the same Web server instance as a Policy Manager, at the same directory level as a Policy Manager. The WebPass installer cannot update multiple Web server instances. If you have multiple IIS Web server instances installed, be sure to install a separate WebPass on each Web server instance.
Your Web server must be configured to operate with the WebPass. Oracle recommends automatically updating your Web server configuration during WebPass installation.
The Policy Manager must be installed on the same Web server instance as a WebPass, at the same directory level as a WebPass. The Policy Manager installer cannot update multiple Web servers instances. If you have multiple IIS Web server instances installed, be sure to install a separate Policy Manager on each Web server instance.
When installing the Policy Manager for an IIS Web server with:
Windows 2000: When installing the Policy Manager on Windows 2000 with IIS, ensure that the group named Everyone has full access to the \temp directory and the drive (for example, C or D) to which the \temp directory belongs. The TEMP variable needs to be set to point to a valid directory, either for the entire system or for the IIS user. Oracle recommends setting the TEMP variable for the entire system.
Active Directory: If you specify Active Directory on Windows Server 2003 as the directory server during Policy Manager installation, a new page appears asking if dynamic auxiliary classes are to be supported. If you are using ADSI, you need to set the IIS Web server Anonymous User Login Account to a Domain User after installation and before setting up the Policy Manager. For more information about Active Directory, see Appendix A.
A Policy Manager installed with an IIS Web server depends on the Registry to obtain the \PolicyManager_install_dir. To avoid a conflict in the Registry when you install two Policy Managers on a single computer, one with an IIS Web server and the other with a Sun Web server, you must install the Policy Managers as outlined in the following procedure.
Task overview: To avoid a conflict with IIS and Sun Web server instances
Install the Policy Manager with the Sun Web server first.
Install the Policy Manager with the IIS Web server second.
For more information about installing a Policy Manager, see Chapter 7.
Oracle Access Manager WebGates for Apache v2, OHS2, and IHS v2 may be the only WebGates in your installation or may coexist with other WebGates. For more information, see "Access System Guidelines".
Before installing the WebGate, ensure that your IIS Web server is not in lockdown mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lockdown.
Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS . For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.
Each IIS Virtual Web server can have it's own WebGate.dll file installed at the virtual level, or can have one WebGate affecting all sites installed at the site level. Either install the WebGate.dll at the site level to control all virtual hosts or install the WebGate.dll for one or all virtual hosts.
You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \WebGate_install_dir, as described in "Installing postgate.dll on IIS Web Servers". If you perform multiple installations, multiple versions of this file may be created which may cause unusual Oracle Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist.
Note:
The postgate.dll is always installed at the site level. If for some reason the WebGate is reinstalled, the postgate.dll is also reinstalled. In this case, ensure that only one copy of the postgate.dll exists at the site level.As with other Oracle Access Manager Web components, your Web server must be configured to operate with the WebGate. Oracle recommends automatically updating your Web server configuration during installation. Also:
You may receive special instructions to perform during WebGate installation. For example: Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS . The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.
On IIS, if you are using client certificate authentication you must enable SSL on the IIS Web server hosting the WebGate before enabling client certificates for WebGate. You must also ensure that various filters are installed in a particular order. In addition, you may need to install the postgate.dll as an ISAPI filter.
For more information about WebGates, see Chapter 9.
For the latest support information, see details under the Certify tab on:
Go to MetaLink at https://metalink.oracle.com.
Log in to MetaLink as directed
Click the Certify tab.
Click View Certifications by Product
Select the Application Server option and click Submit.
Choose Oracle Identity Manager and click Submit.
Click Oracle Identity Management Certification Information 10g (10.1.4.0.1) (html) to display the Oracle Identity Management page.
Click the link for Section 6, "Oracle Access Manager Certification" to display the certification matrix.
Once you have installed WebPass and updated the Web server configuration, you should ensure that the WebPass installation directory has the proper permissions to run correctly.
To verify the WebPass IIS Web server configuration
Locate the following directory:
\WebPass_install_dir\identity\oblix\apps\webpass\bin
Right click the \bin directory, then select Properties.
Select the Security tab and ensure that "Allow" for "Read" and "Write" rights are granted to user "SERVICE".
To verify when WebPass was set up in Simple or Cert mode
Locate \WebPass_install_dir\identity\oblix\config\password.xml.
Right click password.xml, then select Properties.
Select the Security tab and ensure that "Allow" for "Read" rights are granted to users:
"IUSR_<computer_name>"
"IWAM_<computer_name>"
"NETWORK SERVICE"
"IIS_WPG" (only for IIS 6.0)
Whether you updated your configuration automatically during Policy Manager installation or manually, you can easily verify that the directory permissions are properly set for Oracle Access Manager.
To verify the Policy Manager IIS Web server configuration
Launch your Web browser, and open the following file, if needed. For example:
\PolicyManager_install_dir\access\oblix\lang\langTag\docs\config.htm
Select the appropriate Web server interface configuration protocol from the table on the screen, also shown under "Manually Configuring Your Web Server".
Review the directory permissions and compare them to those set on the Policy Manager Web server.
Completing WebGate installation with an IIS Web server, includes the following activities after the installation is complete.
Task overview: Completing IIS WebGate installations includes
Use the following procedures as a guide, which reflects the sequence for IIS v5.
To enable SSL on the IIS Web server
Start the Internet Information Services console, if needed: Click Start, Programs, Administration Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Expand the Default Web Site or the appropriate Web site, then expand \access\oblix\apps\webgate\bin.
Right click cert_authn.dll and select Properties.
Select the File Security tab in the Properties panel.
In the Secure Communications sub-panel, click Edit.
In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.
Click OK in the cert_authn.dll Properties panel.
If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters.
To add cert_authn.dll as an ISAPI filter
Start the Internet Information Services console, if needed: Click Start, Programs, Administration Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right click the appropriate Web Site to display the Properties panel.
Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.
Enter filter name "cert_authn".
Click the Browse button and navigate to the following directory:
\WebGate_install_dir\access\oblix\apps\webgate\bin
Select cert_authn.dll as the executable.
Click OK on the Filter Properties panel.
Click Apply on the ISAPI Filters panel.
Click OK.
Ensure the filters are listed in the correct order.
It is important to ensure that the WebGate ISAPI filters are included in the right order.
To order the WebGate ISAPI filters
Start the Internet Information Services console, if needed: Click Start, Programs, Administration Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Click Properties, select ISAPI filters.
Confirm the following .dll files appear.
For example:
Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5.
WARNING:
Confirm that there is only one webgate.dll and one postgate.dll filter.
Following WebGate installation, you may need to install the postgate.dll manually. POST data is required for pass through during a form login on the IIS Web server when using the WebGate extension method (where the WebGate is the action of the form). In other words, if a form authentication scheme on the IIS Web server is configured with the passthrough option, and the target of the login form requires the data posted by the form, the WebGate extension method (where the WebGate DLL is the action of the form) cannot be used. The WebGate filter method (where the action of the form is a protected URL that is not the WebGate DLL) must be used instead, and the postgate DLL must be installed and enabled.POST data is used in an authorization decision that include rule parameters for the AzMan authorization plug-in. In this case, postgate.dll must be installed. The following procedures presume that you are familiar with the IIS Web server commands. Two procedures are provided:
On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode. This is required by the ISAPI postgate filter.
To set IIS 5.0 isolation on IIS 6 Web servers
Start the Internet Information Services console, if needed: Click Start, Programs, Administration Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Select the Service tab in the Web Site Properties window.
Check the box beside Run WWW service in IIS 5.0 Isolation Mode.
Click OK.
If you perform multiple WebGate installations on one computer, multiple versions of the postgate.dll file may be created which may cause unusual Oracle Access Manager behavior. There can only be one postgate.dll configured at the (top) Web Sites level of a computer. You may have multiple webgate.dlls configured at different levels from the top level Web Sites. However, they share the same postgate.dll. Install the filters in the following order:
The ISAPI Webgate filter should be installed after the sspifitt filter and before any others.
The postgate filter should be installed before the WebGate filter, only if needed.
All other Oracle Access Manager filters can be installed at the end.
Note:
Before installation (or after uninstallation) the filters must be removed manually. If multiple copies of a filter are installed, this means that they were not manually removed before installing the new filters.The following procedures guide as you install and position the postgate ISAPI filter.
To install the postgate ISAPI filter
Start the Internet Information Services console, if needed: Click Start, Programs, Administration Tools, Internet Information Services.
Expand the local computer to display your Web Sites.
Right-click the Web Site and select Properties.
Select the ISAPI Filters tab in the Web Site Properties window.
Click the Add button to display the Filter Properties panel.
Enter the filter name "postgate".
Click the Browse button and navigate to the following directory:
\WebGate_install_dir\access\oblix\apps\webgate\bin
Select postgate.dll as the executable.
Click OK on the Filter Properties panel.
Click Apply on the ISAPI Filters panel.
To restart IIS and reposition the postgate ISAPI filter
Start the Internet Information Services console, if needed.
Right-click your local computer, then select All Tasks, select Restart IIS.
Select the ISAPI Filters tab on the Properties panel.
Select the postgate filter and move it before WebGate, using the up arrow.
For example:
Restart IIS or proceed with "Protecting a Web Site When the Default Site is Not Setup" next.
When you install a WebGate on an IIS Web server that does not have the "Default Web Site" configured, the installer does not create "Virtual Directory -> access", which must be done manually using the following procedure:
To protect a Web site (not the default site)
Start the Internet Information Services console, if needed
Select the name of the Web site to protect.
Right-click the name of the Web site to protect and select New -> Virtual Directory in the menu.
Click Next.
Select Alias: access, then click Next.
Directory: Enter the full path to the /access directory, then click Next.
Select Read, Run Scripts, and Execute, then click Next.
Click Finish.
Restart IIS. For example:
net start w3svcAfter installing WebGate and updating the IIS Web server configuration file, you can use the WebGate diagnostics to verify the WebGate is properly installed.
To verify WebGate installation
Navitate to the URL:
http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number.
The WebGate diagnostic page should appear.
Successful: If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page.
Unsuccessful: If the WebGate diagnostic page does not open, the WebGate is not functioning properly. In this case, the WebGate should be uninstalled and reinstalled. For more information about removing Oracle Access Manager see Chapter 21, then return to the chapter on installing a WebGate Chapter 9.
When instructed to restart your IIS Web server during Oracle Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using net stop iisadmin and net start w3svc are good ways to stop and start the Web server. This is true for all Oracle Access Manager Web components and is especially true after installing the Policy Manager. The net commands help to ensure that the Metabase does not become corrupted following an installation.
For more information, see the Web component chapters in this book:
Web server configuration changes that occur during installation must be manually reverted after uninstalling the Oracle Access Manager component (WebPass, Policy Manager, WebGate). For example, the ISAPI transfilter will be installed for IIS WebPass. However, if you uninstall WebPass this is not removed automatically. Also, the created Web service extension and the link to the identity directory will not be removed. This type of information must be removed manually. These are examples of information to remove, not a complete list.
Further, you must remove any changes that you manually made to your Web server configuration file for the Oracle Access Manager component (WebPass, Policy Manager, WebGate) should be removed. For more information about what is added for each component, look elsewhere in this chapter.
To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a WebGate from IIS, use MetaEdit to edit the metabase.
For information on troubleshooting, see the following topics in Appendix E:
