D Using Oracle Access Manager with IPv6 Clients

This appendix provides the following information about using Oracle Access Manager with Internet Protocol Version 6 clients:

• About Oracle Access Manager and IPv6

• Prerequisites

• Configuring IPv6 with Simple Authentication

• Configuring IPv6 with an Authenticating WebGate and Challenge Redirect

• Configuring IPv6: Separate Proxy for Authentication and Resource WebGates

D.1 About Oracle Access Manager and IPv6

Oracle Access Manager supports Internet Protocol Version 4 (IPv4). Oracle Fusion Middleware supports Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6).

Among other features, IPv6 supports a larger address space (128 bits) than IPv4 (32 bits), providing an exponential increase in the number of computers that can be addressable on the Web. IPv6 is enabled with Oracle HTTP Server with the mod_wl_ohs plug-in.

You can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server. Several scenarios are provided here. Be sure to choose the right configuration for your environment.

• Supported Topologies

• Simple Authentication with IPv6

• Configuring IPv6 with an Authenticating WebGate and Challenge Redirect

• Considerations

D.1.1 Supported Topologies

The following topologies are supported with using IPv6 alone or in combination with IPv4 and various Oracle applications:

Note:

Only item 6 pertains to Oracle Access Manager, as one of the single sign-on (SSO) solutions.

1. IPv4 (Oracle Database) -- Dual Stack (WebLogic Server) -- IPv4 Client, IPv6 Client

2. IPv4 (Oracle Database) -- Dual Stack (WebLogic Server, SOA Suite, BAM, WebCenter, Enterprise Manager) -- IPv6 (Oracle HTTP Server with mod_wl_ohs) -- IPv6 Client

3. IPv6 (Database like MySQL) -- IPv6 (WLS) -- IPv6 Client

4. IPv4 (Database) -- Dual Stack (SOA Suite, BAM, WebCenter, Identity Management, Enterprise Manager) -- IPv4 Client, IPv6 Client

5. IPv4 Classic (Forms, Reports, Discoverer, Portal + 10.1.4.3 SSO) -- Dual Stack (Oracle HTTP Server with mod_proxy) -- IPv6 Client

6. IPv4 (Oracle Access Manager 10.1.4.3 with applications like SOA Suite) -- Dual Stack (Oracle HTTP Server with mod_proxy) -- IPv6 Client

7. IPv4 (WebLogic Server, SOA Suite, BAM, WebCenter, Enterprise Manager) -- Dual Stack (Oracle HTTP Server with mod_wl_ohs) -- IPv6 Client

See Also:

Oracle Fusion Middleware Administrator's Guide (E10105-01) for more information about IPv6

The remainder of this appendix focuses on using IPv6 with Oracle Access Manager.

D.1.2 Simple Authentication with IPv6

Figure D-1 illustrates simple authentication with Oracle Access Manager configured to use the IPv6/IPv4 proxy.

Note:

In a WebGate profile, an IPv6 address cannot be specified. In a WebGate profile, the virtual host name must be specified as a host name, for example, myapphost.foo.com, not as an IP address.

Figure D-1 Simple Authentication with the IPv6/IPv4 Proxy

Description of "Figure D-1 Simple Authentication with the IPv6/IPv4 Proxy "

As illustrated in Figure D-1, the IPv6 network communicates with the IPv6/IPv4 proxy, which in turn communicates with the Oracle HTTP Server and WebGate using IPv4. WebGate, Oracle Access Manager servers, and Oracle WebLogic Server with the Authentication provider all communicate with each other using IPV4.

D.1.3 Configuring IPv6 with an Authenticating WebGate and Challenge Redirect

Figure D-2 illustrates configuration with a single IPv6 to IPv4 Proxy (even though myssohost and myapphost could use separate proxies).

Note:

In a WebGate profile, the virtual host name must be specified as a host name, for example, myapphost.foo.com, not as an IP address. The redirect host name, for example, myssohost.foo.com must also be specified as a host name and not an IP address. The IPv6 address cannot be specified in a WebGate profile.

Figure D-2 IPv6 with an Authenticating WebGate and Challenge Redirect

Description of "Figure D-2 IPv6 with an Authenticating WebGate and Challenge Redirect"

As illustrated in Figure D-2, the IPv6 network communicates with the IPv6/IPv4 proxy, which in turn communicates with the Oracle HTTP Server using IPv4. WebGate, Oracle Access Manager server, and Oracle WebLogic Server with the Identity Asserter all communicate with each other using IPV4.

You should be able to access the application from a browser on the IPv4 network directly to the IPv4 server host name and have login with redirect to IPv6 myssohost.foo.com.

D.1.4 Considerations

The following considerations apply to each intended usage scenario:

• IP validation does not work by default. To enable IP validation, you must add the IP address of the Proxy server as the WebGate's IPValidationException parameter value in the Access System Console.

• IP address-based authorization does not work because all requests come through one IP (proxy IP) that would not serve its purpose.

D.2 Prerequisites

Regardless of the manner in which you plan to use Oracle Access Manager with IPv6 Clients, the following tasks should be completed before you start:

• An Oracle HTTP Server instance must be installed to act as a reverse proxy to the Web server (required for WebGate).

• Oracle Access Manager must be installed and initial setup (Identity Server, WebPass, Policy Manager, Access Server, WebGate) as described in other chapters in this manual.

See Also:

• Oracle Fusion Middleware Installation Guide for Web Tier (E14260-01)

• Oracle HTTP Server Administrator's Guide (E10144-01)

D.3 Configuring IPv6 with Simple Authentication

Configuring your environment for simple authentication with Oracle Access Manager using the IPv6/IPv4 proxy is described in the following procedure.

See Also:

Figure D-1, "Simple Authentication with the IPv6/IPv4 Proxy"

The configuration in this procedure is an example only. In the example, OHS_host and OHS_port are the host name and port of the actual Oracle HTTP Server with WebGate. You must use values for your environment.

Note:

For this configuration you must use the Web server on which the WebGate is deployed as the Preferred HTTP host in the WebGate profile. You cannot use the IPv6 proxy name.

To configure IPv6 with simple authentication

1. Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server to enable reverse proxy:

   1. Stop Oracle HTTP Server with the following command:

      opmnctl stopproc ias-component=HTTP_Server
      

   2. Edit the following file

      UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      

   3. Append the following to the httpd.conf file:

      #---Added for Mod Proxy
      <IfModule mod_proxy.c>
      
      ProxyRequests Off
      ProxyPreserveHost On
      
      ProxyPass /http://OHS_host:OHS_port/
      ProxyPassReverse /http://OHS_host:OHS_port/
      
      </IfModule>
      

   4. Restart Oracle HTTP Server with the following command:

      opmnctl startproc ias-component=HTTP_Server
      

2. Log in to the Access System Console. For example:

   http://hostname:port/access/oblix
   

   where hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.

   The Access System main page appears.

3. Click Access System Configuration, and then click AccessGate Configuration.

   The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.

4. Select the search attribute and condition from the lists (or click the All button to find all AccessGates), and then click Go.

5. Click an AccessGate's name to view its details.

6. Click the Modify button.

7. Preferred HTTP Host: Specify the Web server name on which WebGate is deployed as it appears in all HTTP requests. The host name within the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user's HTTP request.

8. To enable IP validation, add the IP address of the proxy server as the value of the IPValidationException parameter.

9. Click Save.

D.4 Configuring IPv6 with an Authenticating WebGate and Challenge Redirect

Use the following procedure to configure your environment to use Oracle Access Manager with the IPv6/IPv4 proxy and an authenticating WebGate and challenge redirect.

See Also:

Figure D-2, "IPv6 with an Authenticating WebGate and Challenge Redirect"

The following procedure presumes a common proxy for both form-based authentication and the resource WebGate. For example, suppose you have the following configuration:

Resource WebGate is installed on http://myapphostv4.foo.com/
Resource is on http://myapphostv4.foo.com/testing.html

Authenticating WebGate is on http://myssohostv4.foo.com/
Login form is http://myssohostv4.foo.com/oamsso/login.html

Reverse Proxy URL is http://myapphost.foo.com/

Note:

For this configuration, the Preferred HTTP host must be the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphost4.foo.com must use myapphost4.foo.com as the Preferred HTTP host. You cannot use the IPv6 proxy name.

The proxy configuration to be used for this example is described in the following procedure. You must configure the Oracle HTTP Server, configure WebGate profiles to use the corresponding Oracle HTTP Server as the Preferred HTTP host, and configure the form-based authentication scheme with a challenge redirect value of the reverse proxy server URL (http://myapphost.foo.com/ in this example).

Be sure to use values for your own environment.

To configure IPv6 with an authenticating WebGate and challenge redirect

1. Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server, as follows:

   1. Stop Oracle HTTP Server with the following command:

      opmnctl stopproc ias-component=ias-component=HTTP_Server
      

   2. Edit the following file

      UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      

   3. Append the following information for your environment to the httpd.conf file. For example:

      <IfModule mod_proxy.c>
      ProxyRequests On
      ProxyPreserveHost On
      #Redirect login form requests and redirection requests to Authentication
      WebGate
      
      ProxyPass /obrareq.cgi     http://myssohostv4.foo.com/obrareq.cgi
      ProxyPassReverse /obrareq.cgi    http://myssohostv4.foo.com/obrareq.cgi
      
      ProxyPass /oamsso/login.html   http://myssohostv4.foo.com/oamsso/login.html
      ProxyPassReverse /oamsso/login.html http://myssohostv4.foo.com/oamsso/login
      .html
      
      ProxyPass /access/sso     http://myssohostv4.foo.com/ /access/sso
      ProxyPassReverse /access/sso http://myssohostv4.foo.com/access/sso
      
      # Redirect resource requests to Resource WG 
      ProxyPass /http://myapphostv4.foo.com /
      ProxyPassReverse /http://myapphostv4.foo.com /
      
      </IfModule>
      

   4. Restart Oracle HTTP Server with the following command:

      opmnctl startproc ias-component=ias-component=HTTP_Server
      

2. In the Access System Console, set the Preferred HTTP host for each WebGate as follows:

   1. Log in to the Access System Console. For example:

      http://hostname:port/access/oblix
      

      where hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.

      The Access System main page appears.

   2. Click Access System Configuration, and then click AccessGate Configuration.

      The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.

   3. Select the search attribute and condition from the lists (or click the All button to find all AccessGates), and then click Go.

   4. Click an AccessGate's name to view its details.

   5. Click the Modify button.

   6. Preferred HTTP Host: The name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphostv4.foo.com must use myapphostv4.foo.com as the Preferred HTTP host.

   7. To enable IP validation, add the IP address of the Proxy server as the value of the IPValidationException parameter.

   8. Click Save.

   9. Repeat for each WebGate and specify name of the Oracle HTTP Server Web server that is configured for this WebGate.

3. From the Access System Console, modify the Form authentication scheme to include a challenge redirect to the Proxy server, as follows:

   1. Click Access System Configuration, and then click Authentication Management.

   2. Click the name of the scheme to modify, and then click Modify.

   3. Configure the challenge redirect value to the Proxy server URL. In this example, the Proxy server URL is http://myapphost.foo.com/

   4. Click Save.

D.5 Configuring IPv6: Separate Proxy for Authentication and Resource WebGates

In this configuration you have multiple proxies: for example a separate proxy for the authentication WebGate and another proxy for the resource WebGate. You can access the application from a browser on the IPv4 network directly to an IPv4 server host name with a login redirect to an IPv6 host. For example:

Resource WebGate is on http://myapphostv4.foo.com/
Authenticating WebGate is on http://myssohostv4.foo.com

Proxy used for myapphostv4.foo.com should be myapphostv4.foo.com
Proxy used for myssohostv4.foo.com should be myssohostv4.com

Note:

You cannot use the IPv6 proxy name as the Preferred HTTP host in a WebGate profile.

In the example, OHS_host and OHS_port are the host name and port of the actual Oracle HTTP Server that is configured for WebGate. Be sure to use values for your own environment.

To configure IPv6 with a separate proxy for authentication and resource WebGates

1. Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server for multiple proxies, as follows:

   1. Stop Oracle HTTP Server with the following command:

      opmnctl stopproc ias-component=ias-component=HTTP_Server
      

   2. Edit the following file

      UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf
      Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
      

   3. Append the following information for your environment to the httpd.conf file. For example:

      <IfModule mod_proxy.c>
      ProxyRequests Off
      ProxyPreserveHost On
      
      ProxyPass /http://OHS_host:OHS_port
      ProxyPassReverse /http://OHS_host:OHS_port
      
      </IfModule>
      

   4. Restart Oracle HTTP Server with the following command:

      opmnctl startproc ias-component=ias-component=HTTP_Server
      

2. In the Access System Console, set the Preferred HTTP host for each WebGate as follows:

   1. Log in to the Access System Console. For example:

      http://hostname:port/access/oblix
      

      where hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.

      The Access System main page appears.

   2. Click Access System Configuration, and then click AccessGate Configuration.

      The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.

   3. Select the search attribute and condition from the lists (or click the All button to find all AccessGates), and then click Go.

   4. Click an AccessGate's name to view its details.

   5. Click the Modify button.

   6. Preferred HTTP Host: The name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphostv4.foo.com must use myapphostv4.foo.com as the Preferred HTTP host.

   7. To enable IP validation, add the IP address of the Proxy server as the value of the IPValidationException parameter.

   8. Click Save.

   9. Repeat for each WebGate and specify name of the Oracle HTTP Server Web server that is configured for this WebGate.

3. From the Access System Console, modify the Form authentication scheme to include a challenge redirect to the Proxy server, as follows:

   1. Click Access System Configuration, and then click Authentication Management.

   2. Click the name of the scheme to modify, and then click Modify.

   3. Configure the challenge redirect value to the Proxy server URL that acts as a reverse proxy for the authentication WebGate. In this example, the Proxy server URL is http://myssohost.foo.com/

   4. Click Save.