Skip Headers
Oracle® Fusion Middleware Installation Guide for Oracle Identity and Access Management
11g Release 2 (11.1.2)

Part Number E27301-04
Go to Documentation Home
Home
Go to Table of Contents
Contents
Go to Feedback page
Contact Us

Go to previous page
Previous
Go to next page
Next
PDF · Mobi · ePub

11 Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager

This chapter describes how to migrate from the Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager to protect applications by using the same policy domain used by the Domain Agent. By default, applications deployed in an Oracle Identity and Access Management domain are protected by the Domain Agent.

Note:

Read this chapter only if you want to use Oracle HTTP Server 10g Webgate for Oracle Access Manager after setting up integration between Oracle Identity Manager and Oracle Access Manager, as described in the chapter "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

This chapter discusses the following topics:

11.1 Installing and Configuring Oracle HTTP Server 11g (11.1.1.5.0)

If you do not have an existing Oracle HTTP Server 11g (11.1.1.5.0) installation, you can install Oracle HTTP Server 11.1.1.2.0 and patch it to the latest version 11.1.1.5.0.

Oracle HTTP Server 11.1.1.2.0 is included in the Oracle Web Tier 11g Installer, you must download the Oracle Web Tier 11g (11.1.1.2.0) Installer from the Oracle Technology Network (OTN):

http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

Alternatively, you can download the latest Oracle Fusion Middleware 11g software from the following website:

http://edelivery.oracle.com/

Note:

For information about installing and configuring Oracle HTTP Server 11g (11.1.1.2.0), see the "Installing Oracle Web Tier" topic in the Oracle Fusion Middleware Installation Guide for Oracle Web Tier. For information about patching Oracle HTTP Server 11.1.1.2.0 to 11.1.1.5.0 using the Patch Set Installer, see the "Applying the Latest Oracle Fusion Middleware Patch Set" topic in the Oracle Fusion Middleware Patching Guide.

After you install and configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.

11.2 Provisioning Oracle HTTP Server 10g Webgate for Oracle Access Manager Profile

For information about provisioning a profile for Oracle HTTP Server 10g Webgate for use with Oracle Access Manager 11g server, see the "Provisioning a 10g WebGate for Use with OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

Note:

Ensure that the hostIdentifier parameter is set to IDMDomain and the autoCreatePolicy parameter is set to false when you are provisioning Oracle HTTP Server 10g Webgate to replace Domain Agent for OAM-OIM integration.

11.3 Installing Oracle HTTP Server 10g Webgate for Oracle Access Manager

For information about installing Oracle HTTP Server 10g Webgate for Oracle Access Manager, see the "Locating and Installing the Latest OAM 10g WebGate for OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.

11.4 Configuring mod_weblogic

After installing Oracle HTTP Server 10g Webgate for Oracle Access Manager, you must configure the Web server to forward requests to the applications deployed on the WebLogic Server.

Enabling WebLogic Plug-in

You must set the WebLogic plug-in at the domain level. To do this perform the following steps:

  1. Log in to the Oracle WebLogic Server Administration Console at:

    http://hostname:port/console

  2. Click Lock and Edit.

  3. Click IDMDomain In the Domain Structure Menu.

  4. Click the Configuration tab.

  5. Click the Web Applications sub tab.

  6. Select WebLogic Plug-in Enabled.

  7. Click Save and Activate the Changes.

  8. Restart the WebLogic Administration Server and the Managed Servers, as described in Section C.1, "Starting the Stack".

11.5 Optional: Configuring Host Identifier

This task is required only if you have set up integration between Oracle Identity Manager and Oracle Access Manager.

To configure host identifiers for auto-login functionality, complete the following steps:

  1. Launch the Oracle Access Manager Administration Console (http://<oamserverhost>:<adminport>/oamconsole).

  2. Click the Policy Configuration tab.

  3. On the left navigation pane, click Host Identifiers > IDMDomain. The Host Identifier page is displayed.

  4. In the Operations section on the Host Identifier page, all the host name and port number combinations are listed. Verify whether the section includes the host name and port number of the web server on which the Oracle HTTP Server 10g Webgate is configured.

    If it is not listed, add an entry as follows:

    1. On the Operation section, click the + icon. A new blank row is added to the Operations section.

    2. In the Host Name field, enter the host name of the web server on which the Oracle HTTP Server 10g Webgate is configured.

    3. In the Port field, enter the port number.

    4. Click Apply.

11.6 Updating Oracle Identity Manager Server Configuration

Update the Oracle Identity Manager (OIM) configuration in the oam-config.xml file (located in the <DOMAIN_HOME>/config/fmwconfig directory) to ensure that the Host and Port attributes of the IdentityManagement element in the file point to the Oracle HTTP Server on which the Oracle HTTP Server Webgate 10g is configured:

  1. Open the oam-config.xml file in a text editor.

  2. Update the entries as follows:

    <Setting Name="IdentityManagement" Type="htf:map">
          <Setting Name="ServerConfiguration" Type="htf:map">
          <Setting Name="OIM-SERVER-1" Type="htf:map">
          <Setting Name="Host" Type="xsd:string">OHS-HOST</Setting>
          <Setting Name="Port" Type="xsd:integer">OHS-PORT</Setting>
          <Setting Name="SecureMode" Type="xsd:boolean">false</Setting>
          </Setting>
    </Setting>
    

Note:

Ensure that you have set up integration between Oracle Identity Manager and Oracle Access Manager, as described in the topic "Integrating Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Identity Management Suite.

After updating OIM Server configuration, you must perform logout configuration as follows:

  1. Copy the logout.html file from the <IAM_ORACLE_HOME>/oam/server/oamsso directory to the <10gWebgateInstallation>/access/oamsso directory.

  2. Edit the SERVER_LOGOUTURL variable in the logout.html file to point to the host and port of the Oracle Access Manager Server. Follow the instructions in the logout.html file.

  3. If the http.conf file of the web server includes the following entries, remove the entries from the http.conf file:

    <LocationMatch "/oamsso/*">     Satisfy any     </LocationMatch>
    

11.7 Optional: Disabling Domain Agent

Domain Agent, which runs on the Administration Server and all Managed Servers in the Oracle Identity and Access Management domain, automatically detects the existence of a Webgate in the request flow. You do not need to disable the Domain Agent. However, if you want to disable the out-of-the-box Domain Agent, you can complete the following steps:

  1. From your present working directory, move to the <MW_HOME>/user_projects/domains/<name_of_your_WebLogic_domain> directory (On UNIX). On Windows, move to the <MW_HOME>\user_projects\domains\<name_of_your_WebLogic_domain> directory.

  2. To disable the Domain Agent running on the Administration Server, start the WebLogic Administration Server on the command line as follows:

    On UNIX:

    ./startWebLogic.sh -DWLSAGENT_DISABLED=true

    On Windows:

    startWebLogic.cmd -DWLSAGENT_DISABLED=true

  3. From your present working directory, move to the <MW_HOME>/user_projects/domains/<name_of_your_WebLogic_domain>/bin directory (On UNIX). On Windows, move to the <MW_HOME>\user_projects\domains\<name_of_your_WebLogic_domain</bin directory.

  4. To disable the Domain Agent running on Managed Servers in the domain, start the Managed Servers on the command line as follows:

    On UNIX:

    ./startManagedWebLogic.sh <name_of_your_Managed_Server> -DWLSAGENT_DISABLED=true

    On Windows:

    startManagedWebLogic.cmd <name_of_your_Managed_Server> -DWLSAGENT_DISABLED=true

11.8 Optional: Updating Oracle Identity Manager Configuration

You can update the <OHS_Instance_Home>/config/OHS/<ohs_name>/mod_wl_ohs.conf to front-end Oracle Identity Manager URLs with Oracle HTTP Server.

To do so, complete the following steps:

Open the mod_wl_ohs.conf file in a text editor and add appropriate entries, as in the following example:

<IfModule weblogic_module>
     WebLogicHost OIM_MANAGED_SERVER_HOST
     WebLogicPort OIM_MANAGED_SERVER_PORT
     MatchExpression /oim*
     MatchExpression /admin*
     MatchExpression /xlWebApp*
     MatchExpression /Nexaweb*
     MatchExpression /workflowservice*
     MatchExpression /callbackService*
     MatchExpression /SchedulerService-web*
     MatchExpression /iam-consoles-faces*
</IfModule>

Replace the values of OIM_MANAGED_SERVER_HOST and OIM_MANAGED_SERVER_PORT with the values of Oracle Identity Manager Managed Server's host and port.

After making the changes, restart Oracle HTTP Server. You can use the OPMN command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:

<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl stopall

To restart the Oracle HTTP Server instance, run the following commands on the command line:

  1. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl start

  2. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl startproc ias-component=<Oracle_HTTP_Server_Instance_Name>

Updating the OIM Configuration When the OAM URL or Agent Profile Changes

You can update the Oracle Identity Manager configuration when the name of the agent profile is modified or the OAM URL is modified.

To update Oracle Identity Manager configuration, complete the following steps:

  1. Export the oim-config.xml file from metadata by running <IAM_ORACLE_HOME>/server/bin/weblogicExportMetadata.sh (on UNIX), and export the file - /db/oim-config.xml. On Windows operating systems, you can use the weblogicExportMetadata.bat file located in the same directory.

  2. Update the file to use Oracle HTTP Server 10g Webgate by updating following element under the <ssoConfig> tag:

    <webgateType>javaWebgate</webgateType> to <webgateType>ohsWebgate10g</webgateType>

  3. Import oim-config.xml back to metadata by running <IAM_Home>/server/bin/weblogicImportMetadata.sh on UNIX. On Windows, use the weblogicImportMetadata.bat located in the same directory.

  4. Log in to Oracle Enterprise Manager Fusion Middleware Control using your WebLogic Server administrator credentials.

  5. Click Identity and access > oim > oim(version). Right-click and select System MBean Browser. The System MBean Browser page is displayed.

  6. Under Application Defined MBeans, select oracle.iam > Server:oim_server1 > Application: oim > XMLConfig > config.

  7. Replace the front-end URL with the URL of Oracle HTTP Server. This should be the same Oracle HTTP Server that was used before installing Oracle HTTP Server 10g Webgate for Oracle Access Manager. Complete the following steps:

    1. Under XMLConfig MBean, move to XMLConfig.DiscoveryConfig.

    2. Update OimFrontEndURL with the URL of Oracle HTTP Server.

    3. Click Apply.

  8. Restart the OIM server.