Skip Headers
Oracle® Access Manager Installation Guide
10g (10.1.4.3)

Part Number E12493-01
Go to Documentation Home
Home
Go to Book List
Book List
Go to Table of Contents
Contents
Go to Index
Index
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
View PDF

19 Installing Web Components for the IIS Web Server

This chapter summarizes activities that you need to perform to configure Oracle Access Manager 10.1.4 Web components (WebPass, Policy Manager, WebGate) with a Microsoft Internet Information Server (IIS Web server for Windows environments). Unless explicitly stated, information and steps in this chapter apply equally to 32-bit and 64-bit WebGate installations. Topics include:

See Also:

"Confirming Certification Requirements"

19.1 Guidelines for Oracle Access Manager Web Components and IIS

ISAPI is an Internet Web server extension that Oracle Access Manager uses to identify Web server components (WebPass, Policy Manager, WebGate) that communicate with the IIS Web server. For example, you will need the following package to install the Oracle Access Manager Web components for IIS:

Oracle_Access_Manager10_1_4_3_0_Win32_ISAPI_WebPass

Oracle_Access_Manager10_1_4_3_0_Win32_ISAPI_Policy_Manager

Oracle_Access_Manager10_1_4_3_0_Win32_ISAPI_WebGate

64-bit WebGate: Oracle_Access_Manager10_1_4_3_0_Win64_ISAPI_WebGate.exe

Updating the IIS Web server configuration file is required when installing Oracle Access Manager Web components. With IIS Web servers, a configuration update involves updating the Web server directly by adding the ISAPI filter and creating extensions required by Oracle Access Manager. A filter listens to all requests to the site on which it is installed. Filters can examine and modify both incoming and outgoing streams of data to enhance IIS functionality. ISAPI extensions are implemented as DLLs that are loaded into a process that is controlled by IIS. Like ASP and HTML pages, IIS uses the virtual location of the DLL file in the file system to map the ISAPI extension into the URL namespace that is served by IIS.

Oracle recommends that you update the IIS Web server configuration file automatically during Oracle Access Manager Web component installation. Automatic updates may take more than a minute. However, updating the IIS Web server configuration file manually takes longer and could introduce unintended errors.

For more specific guidelines, see:

19.1.1 WebPass Guidelines for IIS Web Servers

The WebPass must be installed on the same Web server instance as a Policy Manager, at the same directory level as a Policy Manager. The WebPass installer cannot update multiple Web server instances. If you have multiple IIS Web server instances installed, be sure to install a separate WebPass on each Web server instance.

Your Web server must be configured to operate with the WebPass. Oracle recommends automatically updating your Web server configuration during WebPass installation.

19.1.2 Policy Manager Guidelines for IIS Web Servers

The Policy Manager must be installed on the same Web server instance as a WebPass, at the same directory level as a WebPass. The Policy Manager installer cannot update multiple Web servers instances. If you have multiple IIS Web server instances installed, be sure to install a separate Policy Manager on each Web server instance.

When installing the Policy Manager for an IIS Web server with:

  • Windows 2000: When installing the Policy Manager on Windows 2000 with IIS, ensure that the group named Everyone has full access to the \temp directory and the drive (for example, C or D) to which the \temp directory belongs. The TEMP variable needs to be set to point to a valid directory, either for the entire system or for the IIS user. Oracle recommends setting the TEMP variable for the entire system.

  • Active Directory: If you specify Active Directory on Windows Server 2003 as the directory server during Policy Manager installation, a new page appears asking if dynamic auxiliary classes are to be supported. If you are using ADSI, you need to set the IIS Web server Anonymous User Login Account to a Domain User after installation and before setting up the Policy Manager. For more information about Active Directory, see Appendix A.

A Policy Manager installed with an IIS Web server depends on the Registry to obtain the \PolicyManager_install_dir. To avoid a conflict in the Registry when you install two Policy Managers on a single computer, one with an IIS Web server and the other with a Sun Web server, you must install the Policy Managers as outlined in the following procedure.

Task overview: To avoid a conflict with IIS and Sun Web server instances

  1. Install the Policy Manager with the Sun Web server first.

  2. Install the Policy Manager with the IIS Web server second.

For more information about installing a Policy Manager, see Chapter 7.

19.1.3 WebGate Guidelines for IIS Web Servers

This topic gives general information for a single WebGate installed with an IIS Web server. In addition, you can install multiple WebGates with a single IIS Web server or you might have a 64-bit WebGate. 

Unless explicitly stated, these details apply equally to 32-bit and 64-bit WebGates.

See Also:

Before installing the WebGate, ensure that your IIS Web server is not in lockdown mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lockdown.

Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.

Each IIS Virtual Web server can have it's own WebGate.dll file installed at the virtual level, or can have one WebGate affecting all sites installed at the site level. Either install the WebGate.dll at the site level to control all virtual hosts or install the WebGate.dll for one or all virtual hosts.

You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \WebGate_install_dir, as described in "Installing postgate.dll on IIS Web Servers". If you perform multiple installations, multiple versions of this file may be created which may cause unusual Oracle Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist.

Note:

The postgate.dll is always installed at the site level. If for some reason the WebGate is reinstalled, the postgate.dll is also reinstalled. In this case, ensure that only one copy of the postgate.dll exists at the site level.

As with other Oracle Access Manager Web components, your Web server must be configured to operate with the WebGate. Oracle recommends automatically updating your Web server configuration during installation. Also:

  • You may receive special instructions to perform during WebGate installation. For example: Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.

  • On IIS, if you are using client certificate authentication you must enable SSL on the IIS Web server hosting the WebGate before enabling client certificates for WebGate. You must also ensure that various filters are installed in a particular order. In addition, you may need to install the postgate.dll as an ISAPI filter.

For information about installing a WebGate, see Chapter 9.

19.1.4 64-bit WebGates for IIS v6

You perform installation for this WebGate as you do for all others, using instructions available in Chapter 9. If you choose manual IIS configuration during WebGate installation, you can access details in the following path:

WebGate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm

Following WebGate installation and IIS configuration, perform tasks in "Finishing 64-bit WebGate Installation".

19.1.5 Multiple WebGates with a Single IIS Instance

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.

IIS v6.0 supports hosting multiple Web sites on a single Web server and Oracle Access Manager ISAPI WebGate allows you to protect each Web site with a different WebGate.

Previous releases of the Oracle Access Manager ISAPI WebGate did not support multiple WebGates with a single IIS Web server instance. You either had to install one WebGate for all Web sites at the top level, or protect a single Web site by configuring WebGate at the Web site level.

IIS 6 provides application pools that are used to run virtual servers. You can think of an application pool as a group of one or more URLs that are served by a worker process or a set of worker processes. An application pool is a configuration that links one or more applications to a set of one or more worker processes. Because applications in this pool are separated from other applications by worker process boundaries, an application in one application pool is not affected by problems caused by applications in other application pools. Today, WebGate instances can run in different process spaces.

When you have multiple Web sites on a single IIS v6.0 Web server instance, you need to ensure that user requests reach the correct Web site. To do this, you need to configure a unique identity for each site on the server using at least one of three unique identifiers:

  • Host header name

  • IP address

  • TCP port number

Note:

If you have multiple Web sites on a single server and these are distinguished by IP address and port, multiple WebGates are not required. Starting with release 10.1.4.2.0 virtual hosts on Apache and IIS 6.0 are supported. As a result, a single WebGate on the top level can protect all the Web sites even if the IP addresses are different. This is handled by using different Host Identifiers for each Web site.

You can install multiple WebGates on different Web sites of the same IIS Web server instance. However, several manual steps are required.

19.2 Compatibility and Platform Support

For the latest Oracle Access Manager certification information, see Oracle Technology Network at:

http://www.oracle.com/technology/products/id_mgmt/coreid_acc/pdf/oracle_access_manager_certification_10.1.4_r3_matrix.xls

19.3 Verifying WebPass Permissions on IIS

Once you have installed WebPass and updated the Web server configuration, you should ensure that the WebPass installation directory has the proper permissions to run correctly.

To verify the WebPass IIS Web server configuration

  1. Locate the following directory:

    \WebPass_install_dir\identity\oblix\apps\webpass\bin

  2. Right click the \bin directory, then select Properties.

  3. Select the Security tab and ensure that "Allow" for "Read" and "Write" rights are granted to user "SERVICE".

To verify when WebPass was set up in Simple or Cert mode

  1. Locate \WebPass_install_dir\identity\oblix\config\password.xml.

  2. Right click password.xml, then select Properties.

  3. Select the Security tab and ensure that "Allow" for "Read" rights are granted to users:

    "IUSR_<computer_name>"

    "IWAM_<computer_name>"

    "NETWORK SERVICE"

    "IIS_WPG" (only for IIS 6.0)

19.4 Verifying Policy Manager Permissions on IIS

Whether you updated your configuration automatically during Policy Manager installation or manually, you can easily verify that the directory permissions are properly set for Oracle Access Manager.

To verify the Policy Manager IIS Web server configuration

  1. Launch your Web browser, and open the following file, if needed. For example:

    \PolicyManager_install_dir\access\oblix\lang\langTag\docs\config.htm

  2. Select the appropriate Web server interface configuration protocol from the table on the screen, also shown under "Manually Configuring Your Web Server".

  3. Review the directory permissions and compare them to those set on the Policy Manager Web server.

19.5 Completing WebGate Installation with IIS

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.

See Also:

Completing WebGate installation with an IIS Web server, includes the following activities after the installation is complete.

Task overview: Completing IIS WebGate installations includes

  1. "Enabling Client Certificate Authentication on the IIS Web Server"

  2. "Ordering the ISAPI Filters"

  3. "Installing postgate.dll on IIS Web Servers"

  4. "Protecting a Web Site When the Default Site is Not Setup"

19.5.1 Enabling Client Certificate Authentication on the IIS Web Server

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.

If you are using client certificate authentication, you must enable SSL on the IIS Web server. If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters.

This procedures here reflect the sequence for IIS v5. You environment might be different.

To enable SSL on the IIS Web server

  1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

  2. Expand the local computer to display your Web Sites.

  3. Expand the Default Web Site (or the appropriate Web site), then expand \access\oblix\apps\webgate\bin.

  4. Right click cert_authn.dll and select Properties.

  5. In the Properties panel, select the File Security tab.

  6. In the Secure Communications sub-panel, click Edit.

  7. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.

  8. Click OK in the cert_authn.dll Properties panel.

  9. Proceed to the next procedure: "To add cert_authn.dll as an ISAPI filter".

To add cert_authn.dll as an ISAPI filter

  1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

  2. Expand the local computer to display your Web Sites.

  3. Right click the appropriate Web Site to display the Properties panel.

  4. Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.

  5. Enter filter name "cert_authn".

  6. Click the Browse button and navigate to the following directory:

    \WebGate_install_dir\access\oblix\apps\webgate\bin

  7. Select cert_authn.dll as the executable.

  8. Click OK on the Filter Properties panel.

  9. Click Apply on the ISAPI Filters panel.

  10. Click OK.

  11. Ensure the filters are listed in the correct order.

19.5.2 Ordering the ISAPI Filters

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.

It is important to ensure that the WebGate ISAPI filters are included in the right order.

Note:

This task is the same whether you are installing one or more WebGates per IIS Web server instance.

To order the WebGate ISAPI filters

  1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

  2. Expand the local computer to display your Web Sites.

  3. Right-click the Web Site and select Properties.

  4. Click Properties, select ISAPI filters.

  5. Confirm the following .dll files appear.

    For example:

    cert_authn.dll webgate.dll oblixlock.dll transfilter.dll

  6. Add any missing filters, if needed, then select a filter name and use the up and down arrows to arrange the filter order as shown in step 5.

    WARNING:

    Confirm that there is only one webgate.dll and one postgate.dll filter. If you perform multiple WebGate installations on one computer, multiple versions of the postgate.dll file might be created and cause unusual Oracle Access Manager behavior.

19.5.3 Installing postgate.dll on IIS Web Servers

Unless explicitly stated, details in this topic apply equally to 32-bit and 64-bit WebGates.

Following WebGate installation, you might need to install the postgate.dll manually.

Note:

POST data is used in an authorization decision that includes rule parameters (for the AzMan authorization plug-in, for example). In this case, postgate.dll must be installed. However, postgate.dll is not supported when you have more than one WebGate installed and configured for a single IIS Web server instance.

POST data is required for pass through during a form login on the IIS Web server when using the WebGate extension method (where the WebGate is the action of the form). In other words, if a form authentication scheme on the IIS Web server is configured with the passthrough option, and the target of the login form requires the data posted by the form, the WebGate extension method (where the WebGate DLL is the action of the form) cannot be used. The WebGate filter method (where the action of the form is a protected URL that is not the WebGate DLL) must be used instead, and the postgate DLL must be installed and enabled.

The following procedures presume that you are familiar with the IIS Web server commands. Two procedures are provided:

19.5.3.1 Setting Up IIS Web Server Isolation Mode

On IIS 6 Web servers only, you must run the WWW service in IIS 5.0 isolation mode. This is required by the ISAPI postgate filter.

To set IIS 5.0 isolation on IIS 6 Web servers

  1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

  2. Expand the local computer to display your Web Sites.

  3. Right-click the Web Site and select Properties.

  4. Select the Service tab in the Web Site Properties window.

  5. Check the box beside Run WWW service in IIS 5.0 Isolation Mode.

  6. Click OK.

19.5.3.2 Installing the Postgate ISAPI Filter

For single WebGate installations, you should install the filters in the following order:

  • The ISAPI WebGate filter should be installed after the sspifitt filter and before any others.

  • The postgate filter should be installed before the WebGate filter, only if needed.

  • All other Oracle Access Manager filters can be installed at the end.

    Note:

    Before installation (or after uninstallation) the filters must be removed manually. If multiple copies of a filter are installed, this means that they were not manually removed before installing the new filters.

There can only be one postgate.dll configured at the (top) Web Sites level of a computer. You can have multiple webgate.dlls configured at different levels from the top level Web Sites. However, they share the same postgate.dll. If you perform multiple WebGate installations on one computer, multiple versions of the postgate.dll file can be created which might cause unusual Oracle Access Manager behavior.

Note:

postgate.dll is not supported when you have more than one WebGate installed and configured for a single IIS Web server instance.

The following procedures guide as you install and position the postgate ISAPI filter when you have a single WebGate installed with a single IIS Web server instance.

To install the postgate ISAPI filter

  1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Information Services.

  2. Expand the local computer to display your Web Sites.

  3. Right-click the Web Site and select Properties.

  4. Select the ISAPI Filters tab in the Web Site Properties window.

  5. Click the Add button to display the Filter Properties panel.

  6. Enter the filter name "postgate".

  7. Click the Browse button and navigate to the following directory:

    \WebGate_install_dir\access\oblix\apps\webgate\bin

  8. Select postgate.dll as the executable.

  9. Click OK on the Filter Properties panel.

  10. Click Apply on the ISAPI Filters panel.

To restart IIS and reposition the postgate ISAPI filter

  1. Start the Internet Information Services console, if needed.

  2. Right-click your local computer, then select All Tasks, select Restart IIS.

  3. Select the ISAPI Filters tab on the Properties panel.

  4. Select the postgate filter and move it before WebGate, using the up arrow.

    For example:

    postgate.dll webgate.dll oblixlock.dll

  5. Restart IIS or proceed with "Protecting a Web Site When the Default Site is Not Setup" next.

    Note:

    Consider using net stop iisadmin and net start w3svc to help ensure that the Metabase does not become corrupted.

19.5.4 Protecting a Web Site When the Default Site is Not Setup

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.

When you install a WebGate on an IIS Web server that does not have the "Default Web Site" configured, the installer does not create "Virtual Directory access", which must be done manually using the following procedure.

To protect a Web site (not the default site)

  1. Start the Internet Information Services console, if needed

  2. Select the name of the Web site to protect.

  3. Right-click the name of the Web site to protect and select New, and then select Virtual Directory in the menu.

  4. Click Next.

  5. Select Alias: access, then click Next.

  6. Directory: Enter the full path to the /access directory, then click Next.

    WebGate_install_dir\access

  7. Select Read, Run Scripts, and Execute, then click Next.

  8. Click Finish.

  9. Restart IIS. For example:


    Select Start, then Run.
    Type net start w3svc.
    Click OK.

19.6 Installing and Configuring Multiple WebGates for a Single IIS Instance

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.

This section describes how to install and configure multiple WebGates for different Web sites on same IIS Web server instance. Several steps are manual and will differ from those that are performed when you install a single WebGate with a single IIS instance. When installing multiple WebGates for a single IIS instance:

When configuring the impersonation DLL for multiple WebGates, you need to configure a user to act as the operating system.

There can only be one postgate.dll configured at the (top) Web Sites level of a machine. However, you might have multiple webgate.dlls configured at different levels below the top level Web Sites. If you perform multiple WebGate installations on one machine, multiple versions of the postgate.dll file might be created that can cause unusual Oracle Access Manager behavior.

Task overview: Installing and configuring multiple WebGates for a single IIS instance

  1. Installing Each WebGate in a Multiple WebGate Scenario

  2. Setting the Impersonation DLL for Multiple WebGates

  3. Enabling SSL and Client Certification for Multiple WebGates

  4. Perform the following tasks, which are the same whether you install one or more WebGates per IIS Web server instance:

19.6.1 Installing Each WebGate in a Multiple WebGate Scenario

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.

After installing the ISAPI WebGate, there are several manual steps to perform as described here.

By default, webgate.dll is configured as an ISAPI filter at the Web sites (top) level. When installing multiple WebGates with a single IIS instance, you need to remove the respective webgate.dll from the top level and configure it for the appropriate individual Web site after each WebGate installation.

Note:

If you perform multiple WebGate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Oracle Access Manager behavior. The postgate.dll is not supported in environments where you have multiple WebGates configured with a single IIS v6 web server instance.

To install each WebGate when you will have several with one IIS instance

  1. Install the ISAPI WebGate as described in Chapter 9.

  2. Go to the Web site to protect, and configure webgate.dll as the ISAPI filter using these steps:

    1. Start the Internet Information Services (IIS) Manager: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager

    2. Right click Web Sites, and then click the Properties option.

    3. Click the ISAPI filter tab, look for the path to webgate.dll; if it is present in the filter, then select it and click the Remove button.

    4. Under Web Sites, right-click the name of the Web site to protect, and select the Properties option.

    5. Click the ISAPI filter tab to add the filter DLLs.

    6. Add the following filter to identify the path to the webgate.dll file, and name it "webgate".

      WebGate_install_dir/access/oblix/apps/webgate/bin/webgate.dll
      
    7. Save and apply these changes.

    8. Go to the Directory Security tab.

    9. Confirm that "anonymous access" and "basic authentication" are selected so that Oracle Access Manager provides authentication for this Web server.

    10. Save and apply these changes.

  3. Go to Web sites level to protect and create an /access virtual directory that points to the newly installed WebGate_install_dir:

    1. Under Web Sites, right-click the name of the Web site to be protected.

    2. Select New and create a new virtual directory named access that points to the appropriate WebGate_install_dir/access.

    3. Under Access Permissions, check Read, Run Scripts, and Execute.

    4. Save and apply these changes.

  4. In the file system, set directory permissions for Oracle Access Manager:

    1. In the file system, locate and right-click WebGate_install_dir\access, and the select Properties.

    2. Click the Security tab.

    3. Add user "IUSR_machine_name" and then select "Allow" for "Modify".

      For example, for a machine_name of Oracle, select IUSR_ORACLE.

    4. Add user "IWAM_machine_name" and then select "Allow" for "Modify"

      For example, for a machine_name Oracle, select IWAM_ORACLE.

    5. Add user "IIS_WPG" and then select "Allow" for "Modify".

    6. Add user "NETWORK SERVICE" and then select "Allow" for "Modify".

    7. For the group "Administrators", select "Allow" for "Modify".

  5. If Webgate has been set up in Simple or Cert mode, perform the follow steps:

    1. In the file system, locate and right-click the "password.xml" file in WebGate_install_dir\access\oblix\config\password.xml.

    2. Click the Security tab.

    3. Give "Allow" for "Read" rights to users "IUSR_machine_name", IWAM_machine_name, "IIS_WPG", and "NETWORK SERVICE".

  6. Add a new Web service extension using the following steps:

    1. Right click Web Service Extensions, and then select Add a new Web service extension....

    2. Add the Extension name Oracle WebGate.

    3. Click Add to add the path to the extension file, and then enter the path to the appropriate webgate.dll.

      WebGate_install_dir\access\access\oblix\apps\webgate\bin\webgate.dll
      
    4. Click OK to save the changes.

    5. Check box beside Set extension status to allowed.

    6. Click OK to save the changes.

  7. Ensure that there is no webgate.dll in the ISAPI filter at the top Web site level (Òweb sitesÓ).

  8. Perform the next set of tasks using instructions in the following topics:

    1. "Setting the Impersonation DLL for Multiple WebGates"

    2. "Enabling SSL and Client Certification for Multiple WebGates"

  9. Repeat these steps when you install the next WebGate for the IIS instance.

19.6.2 Setting the Impersonation DLL for Multiple WebGates

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates.

The client's access token is known as an impersonation token. The impersonation token identifies the client, the client's groups, and the client's privileges. The information in the token is used during access checks when the thread requests access to resources on the client's behalf.

Access System authenticates & authorizes user. IISImpersonationExtension.dll of OAM in wildcard extension behaves like a filter for each request to web server. The Access System designates a special user that does have the right to impersonate another user by configuring it using the impersonation username/password on the AccessGate configuration page. That designated user must have "act as operating system" rights. DLL impersonates the user authenticated & authorized by OAM & generates impersonation token.

You perform the following steps to set the impersonation DLL for each WebGate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the installation task in the previous topic or all at one time.

Note:

This task must be performed for each WebGate that protects an individual Web site for a single IIS Web server instance.

To add the impersonation DLL to IIS configuration for individual Web sites

  1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

  2. Click the plus icon (+) beside the Local Computer icon in the left pane to display your Web Sites.

  3. Click Web Service Extensions in the left pane.

  4. Double-click WebGate in the right pane to open the Properties panel.

  5. Click the Required Files tab.

  6. Click Add.

  7. In the Path to file text box, type the full path to IISImpersonationExtension.dll, and then click OK. For example:

    WebGate_install_dir\access\oblix\apps\webgate\bin\IISImpersonationExtension.dll
    

    This example shows the default path, where WebGate_install_dir is the file system directory where you have installed this particular WebGate.

  8. Verify that the Allow button beside the WebGate icon is grayed out, which indicates that the dll is allowed to run as a Web service extension.

  9. Right click the Web site name, and then click Properties.

  10. Click the Home Directory tab, and then click the Configuration button.

  11. In the list box for Wildcard application maps, click the entry for IISImpersonationExtension.dll to highlight it, then click Edit.

  12. Ensure that the box is unchecked, and then click OK.

  13. Repeat these steps for each WebGate and Web site pair for the IIS Web server instance.

  14. Proceed as follows:

19.6.3 Enabling SSL and Client Certification for Multiple WebGates

You perform this task to set the enable client certification for each WebGate that protects a Web site for a single IIS Web server instance. You can do this either immediately after the adding the impersonation DLL to an individual Web site or all at one time.

Note:

Procedures in this topic apply equally to 32-bit and 64-bit WebGates, unless stated otherwise.

If you select client certificate authentication during setup, you must also add the cert_authn.dll as one of the ISAPI filters in the respective Web site.

To enable SSL on the IIS Web server

  1. Start the Internet Information Services (IIS) Manager, if needed: Click Start, Programs, Administrative Tools, Internet Information Services (IIS) Manager.

  2. Expand the local computer icon to display your Web Sites.

  3. Expand the appropriate individual Web Site, then expand \access\oblix\apps\webgate\bin.

  4. Right click cert_authn.dll and select Properties.

  5. In the Properties panel, select the File Security tab.

  6. In the Secure Communications sub-panel, click Edit.

  7. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.

  8. Click OK in the cert_authn.dll Properties panel.

  9. Repeat for each WebGate installed on this host.

  10. Proceed to the next task: "To add cert_authn.dll as an ISAPI filter".

To add cert_authn.dll as an ISAPI filter

  1. Start the Internet Information Services console, if needed.

  2. Expand the local computer to display your Web Sites.

  3. Right click the appropriate Web Site to display the Properties panel.

  4. Click the ISAPI Filters tab, then click the Add button to display the Filter Properties panel.

  5. Enter filter name "cert_authn".

  6. Click the Browse button and navigate to the following directory:

    \WebGate_install_dir\access\oblix\apps\webgate\bin

  7. Select cert_authn.dll as the executable.

  8. Click OK on the Filter Properties panel.

  9. Click Apply on the ISAPI Filters panel.

  10. Click OK.

  11. Repeat for each WebGate installed on this host.

  12. Ensure the filters are listed in the correct order.

  13. Proceed to "Confirming Multiple WebGate Installation".

19.6.4 Confirming Multiple WebGate Installation

This task applies equally to 32-bit and 64-bit WebGates.

If you perform multiple WebGate installations on one machine, multiple versions of the postgate.dll file might be created which can cause unusual Oracle Access Manager behavior. the postgate.dll is not supported in environments where you have multiple WebGates configured with a single IIS v6 web server instance.

19.7 Finishing 64-bit WebGate Installation

This section describes how to complete installation of a 64-bit WebGate. You can skip this section if you are installing a 32-bit WebGate. In this case, see instead, "Completing WebGate Installation with IIS".

Before you start tasks here, be sure that you have completed WebGate installation according to information in Chapter 9. You must also have completed Web server configuration updates for this WebGate either automatically during WebGate installation or manually, as described in "64-bit WebGates for IIS v6".

Task overview: Finishing installation of a 64-bit WebGate

  1. Perform steps in "Setting Access Permissions, ISAPI filters, and Directory Security Authentication".

  2. Enable client certificates, if desired. See "Setting Client Certificate Authentication".

  3. When finished, you can:

19.7.1 Setting Access Permissions, ISAPI filters, and Directory Security Authentication

Unless explicitly stated, this topic applies equally to 32-bit and 64-bit WebGates. It describes setting access permissions for the Web site that you are using as a default.

If you have already installed the Policy Manager with the IIS instance, you can use the following steps to confirm permissions.

To set or confirm access Permissions, ISAPI filters, and Directory Security Authentication

  1. Start the Internet Service Manager. For example, from the Start menu click Programs then click Administrative Tools, and click Internet Service Manager.

  2. Expand the local computer by clicking +, in the left panel.

  3. Click to expand the Web Sites tab.

  4. Right-click Default Web Site (or the site you are using as a default), and create a virtual directory as described in "Protecting a Web Site When the Default Site is Not Setup".

  5. Right-click Web Sites in the Internet Information Services tab, click Properties, and perform the following steps:

    1. From the Internet Information Services tab, click the Edit button.

    2. Locate the ISAPI filter tab to confirm (or add) the filter DLLs, as follows:

      Filter: If you updated the IIS Web server configuration file, webgate.dll should be properly located.

      No Filter: Add the webgate.dll filter from WebGate_install_dir\oblix\access\apps\webgate\bin\webgate.dll

    3. Save and apply any changes.

    4. Click the Directory Security tab and confirm that both Anonymous Access and Basic Authentication are selected.

      Selected: Proceed to Step 6.

      Not Selected: Select Anonymous Access and Basic Authentication, then save and apply these changes.

  6. Proceed as follows:

19.7.2 Setting Client Certificate Authentication

This task is optional and should be done only if you want to use client certificate authentication. In this case, IIS and WebGate must be SSL-enabled.

Information in this topic is a sub set of details in "Enabling Client Certificate Authentication on the IIS Web Server".

To add cert_authn.dll as an ISAPI filter

  1. Start the Internet Information Services console, if needed: Click Start, Programs, Administrative Tools, Internet Service Manager.

  2. Expand the local computer to display your Web Sites.

  3. Right-click the Default Web Site (or the Web site that you use as a default), then expand \access\oblix\apps\webgate\bin.

  4. Right click cert_authn.dll and select Properties, then:

    1. In the Properties panel, select the File Security tab.

    2. In the Secure Communications sub-panel, click Edit.

    3. In the Client Certificate Authentication sub-panel, click Accept Certificates and click OK.

    4. Click OK in the Secure Communications panel.

    5. Click OK in the cert_authn.dll Properties panel.

  5. Click the ISAPI Filters tab, click the Add button to display the Filter Properties panel, and then:

  6. Ensure the filters are listed in the correct order, as described in "Ordering the ISAPI Filters".

  7. Proceed to "Confirming WebGate Installation on IIS".

19.8 Confirming WebGate Installation on IIS

After installing WebGate and updating the IIS Web server configuration file, you can use the WebGate diagnostics to verify the WebGate is properly installed.

Note:

This task is the same for both 32-bit and 64-bit WebGates. It is the same whether you are installing one or more WebGates per IIS Web server instance.

To verify WebGate installation

  1. Go to the URL:

    http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.dll?progid=1
    

    where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number.

  2. The WebGate diagnostic page should appear.

    • Successful: If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page.

    • Unsuccessful: If the WebGate diagnostic page does not open, the WebGate is not functioning properly. In this case, the WebGate should be uninstalled and reinstalled. For more information about removing Oracle Access Manager see Chapter 22, then return to the chapter on installing a WebGate Chapter 9.

19.9 Starting, Stopping, and Restarting the IIS Web Server

When instructed to restart your IIS Web server during Oracle Access Manager Web component installation or setup, be sure to follow any instructions that appear on the screen. Also, consider using net stop iisadmin and net start w3svc are good ways to stop and start the Web server. This is true for all Oracle Access Manager Web components and is especially true after installing the Policy Manager. The net commands help to ensure that the Metabase does not become corrupted following an installation.

For more information, see the Web component chapters in this book:

19.10 Removing Web Server Configuration Changes Before Uninstall

The information in this section applies equally to 32-bit and 64-bit WebGates.

Web server configuration changes that occur during installation must be manually reverted after uninstalling the Oracle Access Manager component (WebPass, Policy Manager, WebGate). For example, the ISAPI transfilter will be installed for IIS WebPass. However, if you uninstall WebPass this is not removed automatically. Also, the created Web service extension and the link to the identity directory will not be removed. This type of information must be removed manually. These are examples of information to remove, not a complete list.

Further, you must remove any changes that you manually made to your Web server configuration file for the Oracle Access Manager component (WebPass, Policy Manager, WebGate) should be removed. For more information about what is added for each component, look elsewhere in this chapter.

To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a WebGate from IIS, use MetaEdit to edit the metabase.

19.11 Troubleshooting

For information on troubleshooting, see the following topics in Appendix E: