The Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management describes initial deployment of Access Manager 11g with the Oracle HTTP Server. However, when your enterprise includes Web server types other than Oracle HTTP Server you might want to use existing 10g WebGates or install fresh 10g WebGates for use with Access Manager. Also, you might want to switch from using the pre-registered IAMSuiteAgent to using a 10g WebGate to protect Oracle Identity Management Consoles.
The following sections describe how to install fresh instances of 10g WebGates for use with Access Manager:
Locating and Installing the Latest 10g WebGate for Access Manager 11g
Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
Removing a 10g WebGate from the Access Manager 11g Deployment
Review the latest certification matrix from Oracle Technology Network to locate the latest WebGates for your deployment:
http://www.oracle.com/technetwork/middleware/id-mgmt/fusion-certification-100350.html
Ensure that your Oracle Access Management Console is running and get familiar with:
This section provides the following topics:
About IAMSuiteAgent: A Pre-Configured 10g WebGate Registered with Access Manager
About Legacy Oracle Access Manager 10g Deployments and WebGates
About Installing Fresh 10g WebGates to Use With Access Manager 11.1.2
About Centralized Logout with 10g OAM Agents and 11g OAM Servers
IAMSuiteAgent is a Java agent filter that is pre-registered with Access Manager 11.1.2 out of the box. This agent and the companion Application Domain are installed pre-configured with Access Manager.
The IAMSuiteAgent is a domain-wide agent:
Once Access Manager is deployed, the IAMSuiteAgent is installed on every server in the domain
Unless disabled, every request coming into the WebLogic Application Server is evaluated and processed by the IAMSuiteAgent
Certain IAMSuiteAgent configuration elements are available in the WebLogic Administration Console (in the Security Provider section) and others in the Oracle Access Management Console.
IAMSuiteAgent and related policies provide SSO protection for the IDM Administration Console, Oracle Identity Console, Oracle Access Management Console, and specific resources in the Identity Management domain.
You can replace the IAMSuiteAgent with a 10g WebGate to protect Oracle Identity Management Consoles and resources in the Identity Management domain, if you choose.
11g OAM Servers support 10g WebGates that are registered to operate with Access Manager 11.1.2. Such WebGates might include:
Legacy 10g WebGates currently operating with Oracle Access Manager 10g.
Legacy 10g WebGates configured as the Identity Assertion Provider (IAP) for SSO (for applications using IAP WebLogic container-based security with Oracle Access Manager 10g, as described in the Oracle Fusion Middleware Application Security Guide).
Legacy 10g WebGates currently operating with Web Applications coded for Oracle ADF Security and the OPSS SSO Framework
You can register these agents to use Access Manager SSO using either the Oracle Access Management Console or the remote registration tool. After registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM Proxy that acts as a bridge.
The following overview outlines the tasks that must be performed to set up an existing 10g WebGate to operate with Access Manager.
Task overview: Setting up a legacy 10g WebGate to operate with Access Manager
Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
Optional: Deploying Applications in a WebLogic Container as described in the Oracle Fusion Middleware Application Security Guide.
You can install fresh 10g WebGates for use with Access Manager 11g as described in this chapter. 10g WebGates are available for a number of Web server platforms.
After installation and registration, 10g WebGates directly communicate with Access Manager through a Java-based OAM proxy that acts as a bridge.
Note:
When installing fresh 10g WebGates for Access Manager, Oracle recommends that you use the latest WebGates. Oracle also recommends that you install multiple WebGates for failover and load balancing.There are several differences between installing a 10g WebGate to operate in an 11g Access Manager deployment versus installing the 10g WebGate in an 10g Oracle Access Manager deployment. Table 25-1 outlines these differences.
Table 25-1 Installation Comparison with 10g WebGates
10g WebGates in 11g Deployments | 10g WebGates in 10g Deployments |
---|---|
|
|
The following overview lists the topics in this chapter that describe 10g WebGate installation and registration tasks for Access Manager 11g in detail. You must complete all procedures for successful operation with Access Manager 11g.
Task overview: Registering and installing a 10g WebGate for Access Manager 11g
Registering a 10g WebGate:
Locating and Downloading 10g WebGates for Use with Access Manager 11g
Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
Optional: Deploying Applications in a WebLogic Container as described in Oracle Fusion Middleware Application Security Guide.
Logout is initiated when an application causes the invocation of the logout.html file configured for any registered 10g WebGate.
Generally speaking, during centralized logout with 10g WebGates the SSO Engine receives a user-session-exists request. The Session Management Engine looks up the session and responds that the session exists. The SSO engine sends a Clear Session request. The Session management engine clears the token and session context. The SSO engine sends a Session Cleared response.
Clearing the user token and the session context clears the server-side state, which includes clearing the OAM_ID cookie set on the server side. When the agent is notified, the agent clears the client-side state of the application. For more information, see Section 25.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers."
This topic provides a comparison against the 10g architecture for Access Manager and OSSO. Included are the following topics:
Access Manager 11g differs from 10g in that the identity administration features have been transferred to Oracle Identity Manager 11g (including user self-service and self registration, workflow functionality, dynamic group management, and delegated identity administration).
Access Manager 10g supported Single Sign-on using a single session cookie (the ObSSOCookie) that contained the user identity and session information required to access target resources that had the same or lower authentication level. The ObSSOCookie was encrypted and decrypted using a global shared secret key, the value of which was stored in the directory server. The ObSSOCookie was consumed by Access System components to verify the user identity and allow or disallow access to protected resources.
To close any possible security gaps, Access Manager 11g provides new server-side components that maintain backward compatibility with existing Access Manager 10g policy-enforcement agents (WebGates) and OSSO 10g agents (mod_osso). New Access Manager 11g WebGates are enhanced versions of 10g WebGates, that support a per-agent secret key for the Single Sign-on (SSO) solution. Thus, cookie-replay type of attack are prevented. The 11g WebGates are all trusted at the same level; a cookie specific for the WebGate is set and cannot be used to access any other WebGate-protected applications on a user's behalf.
Unless explicitly stated, the term "WebGate" refers to both an out of the box WebGate or a custom Access Client.
Access Manager 11g uses technology from Oracle Coherence to provide centralized, distributed, and reliable session management.
Table 25-2 provides a comparison of Access Manager 11g versus 10g. For a list of names that have changed with Access Manager 11g, see "Product and Component Name Changes with 11.1.2."
Table 25-2 Comparison: Access Manager 11g versus 10g
Access Manager 11g | 10g | |
---|---|---|
Agents |
Note: Nine Administrator languages are supported. |
Note: Nine Administrator languages are supported. |
Server-side components |
|
|
Console |
Oracle Access Management Console |
Access System Console Identity System Console |
Protocols that secure information exchange on the Internet |
Front channel protocols exchanged between Agent and Server: HTTP/HTTPS. 11g WebGate secures information exchange using the Agent key. -See Also: Cryptographic keys. |
10g Agent information exchange is unsecured, in plain text. |
Cryptographic keys |
Note: One key is generated and used per registered mod_osso agent. |
One global shared secret key per Access Manager deployment which is used by all the 10g WebGates |
Keys storage |
|
Global shared secret stored in the directory server only (not accessible to WebGate) |
Cookies |
Host-based authentication cookie, described in Table 1-2, "Features in Access Manager 11.1.2" |
|
Encryption / Decryption (The process of converting encrypted data back into its original form) |
Introduces client-side cryptography and ensures that cryptography is performed at both the agent and server ends:
|
|
Session Management |
|
|
Client IP |
|
|
Response token replay prevention |
|
N/A |
Multiple network domain support |
Cross-network-domain single sign-on out of the box. Oracle recommends you use Oracle Federation for multiple network domain support. |
A proprietary multiple network domain SSO capability predates Oracle Access Management Identity Federation. If this is implemented in your 10g deployment, register 10g Agents with Access Manager 11g to continue this support.
|
Centralized log-out |
See Chapter 22, "Configuring Centralized Logout for Sessions Involving 11g WebGates." |
logout.html requires specific details when using a 10g WebGate with Access Manager 11g. See Chapter 22, "Configuring Centralized Logout for Sessions Involving 11g WebGates."
|
Access Manager 11g default behavior is to deny access when a resource is not protected by a policy that explicitly allows access.
Access Manager 10g provides authentication and authorization based on policies within a policy domain. Access Manager 10g default behavior allowed access when a resource was not protected by a rule or policy that explicitly denied access to limit the number of WebGate queries to the Access Server.
Table 25-3 compares the Access Manager 11g policy model with the 10g model. Access Manager 11g default behavior is to deny access when a resource is not protected by a policy that explicitly allows access. In contrast, Access Manager 10g default behavior allowed access when a resource was not protected by a rule or policy that explicitly specified access.
Table 25-3 Comparing Access Manager 11g Policy Model versus 10g
Policy Elements | 11g Policy Model | 10g Policy Model |
---|---|---|
Policy Authoring |
Oracle Access Management Console |
Policy Manager |
Policy Store |
Database |
LDAP directory server |
Domain |
Application Domain |
Policy Domain |
Resources |
|
|
Host identifiers |
|
|
Authentication Policies |
|
|
Authentication Schemes |
Authentication Schemes are defined globally and can be shared (referenced within authentication policies). The trust level is expressed as an integer value between 0 (no trust) and 99 (highest level of trust). Note: Level 0 is unprotected. Only unprotected resources can be added to an Authentication Policy that uses an authentication scheme at protection level 0. |
Authentication Schemes can be defined outside of policies and can be referenced within authentication policies. |
Authorization Policy |
Each resource assigned to an Application Domain can be protected by only one authorization policy. Each policy can include one or more conditions and a rule. See Also: Rule, later in this table, and Section 20.8, "Defining Authorization Policies for Specific Resources.". |
To protect resources, you define authorization rules that contain one or more conditions.You also configure authorization expressions using one or more authorization rules. A policy domain (and a policy) can each contain only one authorization expression. |
Token Issuance Policy |
By default, only a container for Token Issuance Policies is provided in a generated Application Domain. No Conditions or Rules are generated automatically. You must add these manually. See Also: Section 20.3.6, "About Token Issuance Policy Pages.". |
N/A |
Responses |
Available for all policy types:
|
|
Cookies |
See Also: Table 18-8 and Section 18.6.1, "About Single Sign-On Cookies During User Login." |
See Also: Table 18-8 and Section 18.6.1, "About Single Sign-On Cookies During User Login." |
Query String-based HTTP Resource Definitions |
Supported within Access Policies, as described in Table 20-1, "Resource Definition Elements" |
This Policy Model supports query string-based HTTP resource definitions within Access Policies. At run time, the OAM Proxy passes the Query String to the policy layer after URL encoding, just like for base resource URL. Only Query String that are part of HTTP GET requests are passed. Query String pattern does not apply to HTTP POST data. |
Rule |
Available for only Authorization and Token Issuance Policies. Each Authorization policy includes a rule that defines whether the policy allows or denies access to resources protected by the policy. The rule references Authorization conditions, described next. See Also: Section 20.11, "Introduction to Authorization Policy Rules and Conditions.". |
A policy is defined using authorization rules (among other policy elements). Authorization rules:
Each rule specifies who (which users, groups or IP4 addresses) is allowed or denied access and the time period in which this rule applies. There is also a provision to specify whether Allow takes precedence over Deny. |
Condition |
Available for only Authorization and Token Issuance Policies. Each Authorization policy rule references conditions that define to whom the rule applies, if there is a time Condition, and how evaluation outcomes are to be applied. Conditions are declared outside of rules and are referenced within a rule. See Also: Section 20.11, "Introduction to Authorization Policy Rules and Conditions." |
N/A |
The IAMSuiteAgent is pre-configured with the logout parameters needed to perform central logout against the OAM Server. While similar to a 10g WebGate, the IAMSuiteAgent does not have a local logout.html page to be configured. Instead, the IAMSuiteAgent is delivered with a pre-deployed application oamsso_logout), that is used by the agent to perform the logout.
The logout functionality for the IAMSuiteAgent requires that the oamsso_logout application is deployed in the Server where the IAMSuiteAgent is used. The initial installation adds this application to AdminServer and to OAM Servers. However, you must update this application's Target servers to include all those that are using the IAMSuiteAgent.
To configure logout for the IAMSuiteAgent
Log in to the WebLogic Server Administration Console.
Navigate to Domain, Deployments, oamsso_logout, Targets.
Select all the Servers where the IAMSuiteAgent is enabled and where logout is performed. For example, oim_server, oaam_admin, oaam_server, and so on.
Click Save.
Proceed to:
Whether you have a legacy 10g WebGate installed, or you are installing a fresh 10g WebGate instance to use with Access Manager 11g, you must register WebGate to use Access Manager 11g authentication and authorization services.
You can use either the Oracle Access Management Console or the remote registration tool to perform this task. The remote registration tool enables you to specify all WebGate parameters before registration using a template.
The following procedure walks through provisioning using the remote registration tool, in-band mode. In this example, OAMRequest_short.xml is used as a template to create an agent named my-10g-agent1, protecting /.../*, and declaring a public resource, /public/index.html. Your values will be different. You can use a full registration template to specify public, private, and excluded resources.
See Also:
The following, if needed:To use remote registration with a 10g WebGate for Access Manager 11g
Acquire the remote registration tool and set up the script for your environment. For example:
Locate RREG.tar.gz file in the following path:
$ORACLE_HOME/oam/server/rreg/client/RREG.tar.gz
Untar RREG.tar.gz file to any suitable location. For example: rreg/bin/oamreg.
In the oamreg script (oamreg.bat or oamreg.sh), set the following environment variables based on your situation (client side or server side) and information in Table 16-5:
Create the registration request:
Locate OAMRequest_short.xml and copy it to a new file. For example:
$OAM_REG_HOME/input/OAMRequest_short.xml/
Copy: OAMRequest_short.xml
To: my-10g-agent1.xml
Edit my-10g-agent1.xml to include details for your environment. For example:
<OAMRegRequest> <serverAddress>http://ruby.uk.example.com:7001</serverAddress> <hostIdentifier>my-10g</hostIdentifier> <agentName>my-10g-agent1</agentName> <protectedResourcesList> <resource>/myapp/</resource> <resource>/myapp/.../*</resource> </protectedResourcesList> <publicResourcesList> <resource>/public/index.html</resource> </publicResourcesList> <excludedResourcesList> <resource>/excluded/index.html</resource> </excludedResourcesList> <autoCreatePolicy>true</autoCreatePolicy> <primaryCookieDomain>.uk.example.com</primaryCookieDomain> <logOutUrls> <url>/oamsso/logout.html</url> </logOutUrls> </OAMRegRequest>
Register the agent. For example:
Locate the remote registration script.
Windows: rreg\bin\oamreg.bat
From the directory containing the script, execute the script using inband mode. For example:
$ ./bin/oamreg.sh inband input/my-10g-agent1.xml
Welcome to OAM Remote Registration Tool! Parameters passed to the registration tool are: Mode: inband Filename: ...
When prompted, enter the following information using values for your environment:
Enter your agent username: userame Username: userame Enter agent password: ******** Do you want to enter a WebGate password?(y/n) n iv. Do you want to import an URIs file?(y/n) n
Review the final message to confirm that this was a successful registration:
Inband registration process completed successfully! Output artifacts are created in the output folder"
Ignore the ObAccessClient.xml file created during registration for now.
Log in to the Oracle Access Management Console and add resources the new registration:
From the System Configuration tab, Access Manager section, expand the following nodes to reveal Search controls:
Use the Search controls to locate your WebGate registration page, then click the name in the Results table to display the page.
OAM Proxy Port—From the System Configuration tab, Common Configuration section, double click Server Instances and locate the port on which the OAM Proxy is running (Table 6-3).
Add resources to the Application Domain (Table 20-1).
Proceed as needed for your environment:
Existing WebGate: Configuring Centralized Logout for 10g WebGate with 11g OAM Servers
Uninstalled WebGate: Locating and Installing the Latest 10g WebGate for Access Manager 11g
Optional: Managing 10g OAM Agents Remotely
This section describes how to update, validate, and delete OAM 10g Agents using remote registration templates and modes described in Section 16.8, "Introduction to Updating Agents Remotely."
To remotely update OAM 10g Agent registration
Set up the registration tool as described in Section 16.7.1, "Acquiring and Setting Up the Remote Registration Tool."
Update Agent:
Create your update request using the OAMUpdateAgentRequest.xml
template.
On the computer hosting the Agent, run the following command with agentUpdate
mode specify your own *Request*.xml as the input file. For example:
./bin/oamreg.sh agentUpdate input/*OAMUpdateAgentRequest.xml
Provide the registration Administrator user name and password when asked.
Confirm success with on-screen messages.
Relocate to the agent host ObAccessClient.xml:
From the AdminServer (Console) host: /rreg/output/Agent_Name/
To the Agent host: $10gWG_install_dir/oblix/lib. For example:
Restart the OAM Server that is hosting this agent
Validating Agent:
On the Agent host, run the following command in agentValidate
mode. For example:
./bin/oamreg.sh agentValidate agentname
Provide the registration Administrator user name and password when asked.
Confirm success with on-screen messages.
Deleting an Agent:
On the computer hosting the Agent, run the following agentDelete
command. For example:
./bin/oamreg.sh agentDelete agentname
Provide the registration Administrator user name and password when asked.
Confirm success with on-screen messages.
Success: On-screen message confirms
AgentDelete process completed successfully
!
Use the procedures in this section if you need to install a fresh 10g WebGate for use with Access Manager 11g. Otherwise, skip this section and proceed to Section 25.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers."
Task overview: Installing the WebGate includes
Preparing for a Fresh 10g WebGate Installation with Access Manager 11g
Locating and Downloading 10g WebGates for Use with Access Manager 11g
Requesting or Installing Certificates for Secure Communications
Table 25-4 outlines the requirements that must be met before starting an 10g WebGate installation.
Table 25-4 Preparing for 10g WebGate Installation with Access Manager 11g
About the ... | Description |
---|---|
Latest Supported WebGates |
Always use the latest supported 10g (10.1.4.3) WebGates with Access Manager 11g. However, if the desired 10g (10.1.4.3) WebGate is not provided, use the next latest WebGate (10g (10.1.4.2.0). See Also: Section 25.7.2, "Locating and Downloading 10g WebGates for Use with Access Manager 11g." |
Location for installation |
Consider:
|
User Accounts |
The account that is used to install the WebGate is not the account that runs the WebGate:
|
Root Level versus Site Level |
|
Transport Security Mode |
Ensure that at least one OAM Server is configured to use the same mode as the agent to be installed. |
Computer Level or Virtual Web Server Level |
The WebGate can be configured to run at either the computer level or the virtual Web server level. Do not install at both the computer level and the virtual Web server levels. |
Oracle HTTP Server Web Server: |
The 10g WebGate for Oracle HTTP Server is based on open source Apache. WebGate package names include:
|
Access Manager 11g provides a single package for components that support Apache with or without SSL enabled:
Note: For SSL-enabled communication, Access Manager supports Apache with mod_ssl only, not Apache-SSL. mod_ssl is a derivative of, and alternative to, Apache-SSL. |
|
IHS2_WebGate is powered by Apache v2 on IBM-AIX. Access Manager supports IHS v2 and IHS v2 Reverse Proxy servers with or without SSL enabled. For details, see Chapter 26, "Configuring Apache, OHS, IHS for 10g WebGates." |
|
Before you install the 10g WebGate with a Domino Web server, you must have properly installed and set up the Domino Enterprise Server R5. See Also: Chapter 29, "Configuring Lotus Domino Web Servers for 10g WebGates." |
|
Before installing WebGate, ensure that your IIS Web server is not in lock down mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lock down. If you are using client certificate authentication, before enabling client certificates for the WebGate you must enable SSL on the IIS Web server hosting the WebGate. Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 fleshiest. In this case, these instructions may be ignored. Each IIS Virtual Web server can have it's own WebGate.dll file installed at the virtual level, or can have one WebGate affecting all sites installed at the site level. Either install the Webgate.dll at the site level to control all virtual hosts or install the Webgate.dll for one or all virtual hosts. You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \WebGate_install_dir, as described in Section 28.5.3.4.2, "Installing the Postgate ISAPI Filter." If you perform multiple installations, multiple versions of this file may be created which may cause unusual Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist. See Also: Chapter 28, "Configuring the IIS Web Server for 10g WebGates" Removal: To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a WebGate from IIS, use MetaEdit to edit the metabase. |
|
On the ISA proxy server, all ISAPI filters must be installed within the ISA installation directory. They can be anywhere within the ISA installation directory structure:
See Also: Chapter 27, "Configuring the ISA Server for 10g WebGates" |
Use the following procedure to obtain an 10g WebGate, if needed. Be sure to choose the appropriate installation package for your Web server.
To find and download 10g WebGates
Review the latest Oracle Access Manager 10g certification information on the Oracle Technology Network at:
http://www.oracle.com/technetwork/middleware/id-mgmt/fusion-certification-100350.html
Go to Oracle Fusion Middleware 11gR1 Software Downloads at:
http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html
Click Accept License Agreement, at the top of the page.
From the Access Manager WebGates (10.1.4.3.0) row, click the download link for the desired platform and follow on-screen instructions.
Store the WebGate installer in the same directory with any 10g Access System Language Packs you want to install.
Proceed to Section 25.7.3, "Starting WebGate 10g Installation."
The following procedure walks through the steps, which are the same regardless of Web server type.
Installation options are identified and can be skipped if they do not apply to your environment. During WebGate installation, information is saved at specific points. You can cancel WebGate installation processing if needed. However, if you cancel WebGate installation after being informed that the WebGate is being installed, you must uninstall the component.
Note:
On HP-UX and AIX systems, you can direct an installation to a directory with sufficient space using the -is:tempdir path parameter. The path must be an absolute path to a file system with sufficient space.To start WebGate 10g installation
On the computer to host WebGate 10g, log in as a user with Web server Administrator privileges.
Stop the Web server instance.
Launch the WebGate installer for your preferred platform, installation mode, and Web server. For example:
GUI Method:
Windows— Oracle_Access_Manager10_1_4_3_0_Win32_API_Webgate.exe
Console Method:
Solaris—./ Oracle_Access_Manager10_1_4_3_0_sparc-s2_API_Webgate Linux—./ Oracle_Access_Manager10_1_4_3_0_linux_API_Webgate
where API refers to the API used by your Web server (for example, ISAPI for IIS Web servers).
Dismiss the Welcome screen; follow on-screen instructions with Administrator privileges.
Specify the installation directory for the WebGate.
Linux or Solaris: Specify the location of the GCC runtime libraries on this computer.
Language Pack—Choose a Default Locale and any other Locales to install, then click Next.
Record the installation directory name in the preparation worksheet if you haven't already, then click Next to continue.
The WebGate installation begins, which may take a few seconds. On Windows systems, a screen informs you that the Microsoft Managed Interfaces are being configured.
The installation process is not yet complete. You are asked to specify a transport security mode. At this point, you cannot go back to restate information.
Specify the location where you unzipped the previously downloaded GCC libraries, if needed.
Transport security between at least one OAM Server must match.
See Also:
Appendix C, "Securing Communication"To specify a transport security mode
Choose Open, Simple, or Cert for the WebGate.
Proceed according to your specified transport security mode:
Simple or Certificate Mode—Go to "Requesting or Installing Certificates for Secure Communications"
Open Mode—Skip to Section 25.7.7, "Updating the WebGate Web Server Configuration"
If your Access Manager 11g environment uses Open mode transport security, you can skip to Section 25.7.7, "Updating the WebGate Web Server Configuration."
WebGate Certificate Request: Generates the request file (aaa_req.pem), which you must send to a root CA that is trusted by the OAM Server. The root CA returns signed certificates, which can then be installed for WebGate.
Requested certificates must be copied to the \WebGate_install_dir\access\oblix\config directory and then the WebGate Web server should be restarted.
See Also:
Appendix C, "Securing Communication"To request or install certificates for WebGate 10g
Indicate whether you are requesting or installing a certificate, then click Next and continue. For example:
Requesting a certificate, proceed with step 2.
Installing a certificate, skip to step 3.
Enter the requested information, then click Next and issue your request for a certificate to your CA.
Record certificate file locations, if these are displayed.
Click Yes if your certificates are available and continue with step 3. Otherwise, skip to Section 25.7.7, "Updating the WebGate Web Server Configuration."
Install a Certificate During Installation: Specify the full paths to the following files, then click Next:
WebGate_install_dir\access\oblix\config
cacert.pem the certificate request, signed by the Oracle-provided openSSL Certificate Authority
password.xml contains the random global passphrase that was designated during installation, in obfuscated format. This is used to prevent other customers from using the same CA. Access Manager performs an additional password check during the initial handshake between the OAM Agent and OAM Server.
aaa_key.pem contains your private key (generated by openSSL).
aaa_cert.pem signed certificates in PEM format.
Proceed to Section 25.7.7, "Updating the WebGate Web Server Configuration."
You perform the following task using information provided during WebGate provisioning and registration with Access Manager 11g.
To provide WebGate configuration details
Provide the information requested for the WebGate as specified in the Access System Console.
WebGate ID—Enter the agent name that you supplied during registration.
WebGate password—Enter the password supplied during registration, if any. If no password was entered, leave the field blank.
Access Server ID—Enter the name of the OAM Server with which this WebGate is registered, if desired, or use any name you choose.
Access Server Host Name—Enter the DNS host name for the OAM Server with which this WebGate is registered
Port number—Enter the port on which the OAM Proxy is running. If a port was not entered during provisioning, the default port is 3004.
Click Next to continue.
Your Web server must be configured to operate with the WebGate. Oracle recommends automatically updating your Web server configuration during installation. However, procedures for both automatic and manual updates are included.
Note:
To manually update your Web server configurationClick No when asked if you want to proceed with the automatic update, then click Next.
Review the screen that appears to assist you in manually setting up your WebGate Web server, and see Section 25.7.7.1, "Manually Configuring Your Web Server."
Return to the WebGate installation screen, click Next, and proceed to Section 25.5, "Registering a 10g WebGate with Access Manager 11g Remotely."
To automatically update your Web server configuration
Click Yes to automatically update your Web server then click Next (or click No and see Section 25.7.7.1, "Manually Configuring Your Web Server"):
Most Web servers—Specify the absolute path of the directory containing the Web server configuration file.
IIS Web Servers—The process begins immediately and may take more than a minute. For more information, see Chapter 28, "Configuring the IIS Web Server for 10g WebGates."
You might receive special instructions to perform before you continue. Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.
Sun Web Servers—Be sure to apply the changes in the Web server Administration console before you continue.
A screen announces that the Web server configuration has been updated.
Click Next and continue with Section 25.7.8, "Finishing WebGate Installation."
If, during WebGate installation, you declined automatic Web server updates, you must perform the task manually.
Note:
If the manual configuration process was launched during WebGate installation, you can skip Step 1 in the following procedure.To manually configure your Web server for the WebGate
Launch your Web browser, and open the following file, if needed. For example:
\WebGate_install_dir\access\oblix\lang\langTag\docs\config.htm
where \WebGate_install_dir is the directory where you installed the WebGate.
Note:
If you choose manual IIS configuration during 64-bit WebGate installation, you can access details in the following pathWebGate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm
Select from the supported Web servers and follow all instructions, which are specific to each Web server type, as you:
Make a back up copy of any file that you are required to modify during WebGate set up, so it is available if you need to start over.
Ensure that you return to and complete all original setup instructions to enable your Web server to recognize the appropriate Access Manager files.
Note:
If you accidentally closed the window, return to step 1 and click the appropriate link again. Some setups launch a new browser window or require you to launch a Command window to input information.Continue with Section 25.7.8, "Finishing WebGate Installation."
The ReadMe information provides details about documentation and Oracle.
Note:
If you are installing a 64-bit IIS WebGate, see Section 28.8, "Finishing 64-bit Webgate Installation."To finish the WebGate installation
Review the ReadMe information, then click Next to dismiss it.
Click Finish to conclude the installation.
Restart your Web server to enable configuration updates to take affect.
Proceed with following topics before installing artifacts and certificates:
Native POSIX Thread Library: When installing Access Manager WebGate for use with NPTL, there is no need to set the environment variable LD_ASSUME_KERNEL to 2.4.19.
Apache2, OHS2, IHS2 Web Servers: Chapter 26, "Configuring Apache, OHS, IHS for 10g WebGates."
IIS Web Servers: Consider using net stop iisadmin
and net start w3svc
after installing the WebGate to help ensure that the Metabase does not become corrupted. See also Chapter 28, "Configuring the IIS Web Server for 10g WebGates."
ISA Web Servers: Chapter 27, "Configuring the ISA Server for 10g WebGates."
Lotus Domino Web Servers: Chapter 29, "Configuring Lotus Domino Web Servers for 10g WebGates."
Proceed to Section 25.7.9, "Installing Artifacts and Certificates."
The ObAccessClient.xml file is one result of product of provisioning. After WebGate installation, you must copy the file to the WebGate installation directory path. If you received signed WebGate 10g certificates after installing WebGate, you can use the following procedure to install these as well.
Configuring your Web server
To install artifacts (and certificates) for WebGate 10g
Copy ObAccessClient.xml
From: $WLS_DOMAIN_HOME
/output/AGENT_NAME
To: $WebGate_install_dir
/oblix/lib
Copy password.xml
From: $WLS_DOMAIN_HOME
/output/AGENT_NAME
To: $WebGate_install_dir
/oblix/config
Copy aaa_key.pem and aaa_cert.pem:
From: $IDM_DOMAIN_HOME
/output/AGENT_NAME
To: $WebGate_install_dir
/oblix/config/simple
Restart the WebGate Web server.
After WebGate installation and Web server updates, you can enable WebGate diagnostics to confirm that your WebGate is running properly.
Confirm Access Manager 11g components are running.
Specify the following URL for WebGate diagnostics. For example:
Most Web Servers—http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1
IIS Web Servers—http(s)://hostname:port/access/oblix/apps/ webgate/bin/webgate.dll?progid=1
where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number.
The WebGate diagnostic page should appear.
Successful: If the WebGate diagnostic page appears, the WebGate is functioning properly and you can dismiss the page. Go to Section 25.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers."
Unsuccessful: WebGate should be uninstalled and reinstalled, as described in Section 25.9, "Removing a 10g WebGate from the Access Manager 11g Deployment."
This section provides the following topics:
About Centralized Logout with 10g OAM Agents and 11g OAM Servers
About the Centralized Logout Script for 10g WebGates with 11g OAM Servers
Configuring Centralized Logout for 10g WebGates with Access Manager
The following process overview outlines the Access Manager centralized logout process that occurs when the application is deployed on the Web server for which the protecting 10g WebGate is configured.
Logout is initiated when an application causes the invocation of the logout.html file configured for the OAM agent (in this case, a 10g WebGate).
Process overview: Centralized logout for 10g WebGate with 11g OAM Server
The application causes invocation of the logout.html file configured for the 10g WebGate.
The application might also pass end_url
as a query string to logout.html. The end_url parameter could either be a URI or a URL. For example:
/oamsso/logout.html?end_url=/welcome.html or /oamsso/logout.html?end_url=http://my.site.com/welcome.html
WebGate clears the ObSSOCookie for its domain and loads the logout.html script.
If the end_url
parameter does not include host:port, the logout.html script gets the host:port of the local server and constructs the end_url
parameter as a URL. For example:
http://serverhost:port/oam/server/logout?end_url=http://my.site.com/
welcome.html
Logic in logout.html redirect to the OAM Server. For example:
http://myoamserverhost:port/oam/server/logout?end_url=http://my.site.com/
welcome.html
The OAM Server executes logout as follows:
Cleans up the session information associated with the user at the server side.
Validates the end_url
and sends a page with callback URLs to the user's browser.
Note:
TheLogout Callback URL
is specified in the expanded OAM Agent registration page, as described in "About Create OAM WebGate Page and Parameters" (or remote registration template in Table 16-3, "Elements on Expanded 11g and 10g WebGate/Access Client Registration Pages").From the callback page, a new request is initiated to a specific URI on each WebGate. When this request reaches the specific WebGate in the specific domain, the ObSSOCookie for that domain is cleared.
The user is redirected to the end_url
in the logout script. However, if the end_url
parameter is not present, an appropriate message is sent by the OAM Server.
For more information, see Section 25.8.2, "About the Centralized Logout Script for 10g WebGates with 11g OAM Servers."
With an 10g WebGate, the logout.html script is required for both single- and multiple DNS-domain centralized logout processing. The logout.html activates JavaScripts that perform the actual logout.
Note:
11g WebGates do not use the logout.html script and instead require additional details in their Agent registration configuration, as described in Section 25.8, "Configuring Centralized Logout for 10g WebGate with 11g OAM Servers."Example 25-1 is a logout.html script that you can use as a template by editing certain lines for your own environment, which are described at the top of the script. For instance, SERVER_LOGOUTURL
must be changed. Additional information is provided after the example.
Example 25-1 logout.html Script
<html> <head> <script language="javascript" type="text/javascript"> /////////////////////////////////////////////////////////////////////////////// //Before using, you need to change the values of: //a. "oamserverhost" to point to the host where the OAM Server is running. //b. "port" to point to the port where the OAM Server is running. /////////////////////////////////////////////////////////////////////////////// var SERVER_LOGOUTURL = "http://oamserverhost:port/oam/server/logout"; /////////////////////////////////////////////////////////////////////////////// function handleLogout() { //get protocol used at the server (http/https) var webServerProtocol = window.location.protocol; //get server host:port var webServerHostPort = window.location.host; //get query string present in this URL var origQueryString = window.location.search.substring(1); var newQueryString = ""; //vars to parse the querystring var params = new Array(); var par = new Array(); var val; if (origQueryString != null && origQueryString != "") { params = origQueryString.split("&"); for (var i=0; i<params.length; i++) { if (i == 0) newQueryString = "?"; if (i > 0) newQueryString = newQueryString + "&"; par = params[i].split("="); //prepare a new query string, if the end_url value needs to be changed newQueryString = newQueryString + (par[0]); newQueryString = newQueryString + "="; val = par[1]; if ("end_url" == par[0]) { //check if val (value of end_url) begins with "/" or "%2F" (is it an URI?) if (val.substring(0,1) == "/" || val.substring(0,1) == "%") { //modify the query string now val = webServerProtocol + "//" + webServerHostPort + val; } } newQueryString = newQueryString + val; } } //redirect the user to this URL window.location.href = SERVER_LOGOUTURL + newQueryString; } </script> </head> <body onLoad="handleLogout();"> </body> </html>
Process overview: Logic in logout.html
Gets the host and port from the incoming request.
Gets the end_url
parameter from the query string.
If the end_url
parameter is not a URL, then the logout.html script constructs a URL using the host and port from task 1. See "Guidelines for the end_url parameter in logout.html" following this section.
Redirects to the OAM Server logout URL (SERVER_LOGOUTURL). For example: http://myoamserver/host:port/oam/server/logout.
Use the end_url
constructed in process 2 as the query string.
Preserve all other query string parameters in the query string.
Guidelines for the end_url parameter in logout.html
The end_url
parameter can be either a URI or an URL.
If the end_url
query string is a URI, without host and port, then the logout.html must construct the URL by determining the host and port of the Web Server where logout.html is hosted. For example:
http://myoamserverhost:port/oam/server/logout?end_url=http://my
.site.com/welcome.html
If the end_url
parameter is a URL with the host and port, the logout.html script simply passes that on without reconstructing it.
Note:
An ADF application must pass theend_url
parameter indicating where to redirect the user after logout, as described in Section A.3, "Configuring Centralized Logout for Oracle ADF-Coded Applications."
/<app context root>/adfAuthentication?logout=true&end_url=<any uri>
Table 25-5 illustrates how a logout link in the logout.html file might be specified:
The following procedures describe how to configure centralized logout for 10g WebGates with Access Manager.
Note:
Optional tasks or those required for only multiple DNS domain logout are identified and can be skipped unless needed.Oracle Fusion Middleware Application Security Guide includes a sample procedure that includes steps for deploying an application in a WebLogic Server domain.
Task overview: Configuring centralized logout for 10g WebGates
Create a default logout page (logout.html) and make it available on the WebGate installation directory:
Create and edit logout.html for the WebGate based on Example 25-1, "logout.html Script".
Store your logout.html script in the following directory path:
WebGate_install_dir/oamsso/logout.html
Note:
If the logout.html file is located elsewhere, ensure that the logout link is correctly specified in the agent registration to point to the correct location of the logout.html file.Proceed with following steps, as needed.
Ensure that the logout.html (from Step 1) redirects the user to this central logout URI, "/oam/server/logout' on the 11g OAM Server.
Optional: Allow the application to pass the end_url parameter indicating where to redirect the user after logout, as described in "Guidelines for the end_url parameter in logout.html" in Section 25.8.2.
Check the Web server file for which the 10g WebGate is configured and perform the appropriate step:
OHS Web server, httpd.conf file: If the following lines exist, delete them:
<LocationMatch "/oamsso/*"> Satisfy any </LocationMatch>
Other Web servers, configuration file: Add the following line:
Alias /oamsso "WebGateInstallationDirectory/oamsso"
Use the following procedure to remove the 10g WebGate from the Access Manager 11g deployment, if needed.
Note:
Deleting an agent registration does not remove the associated host identifier, Application Domain, resources, or the agent instance.Web Server Configuration Changes: Web server configuration changes must be manually reverted after uninstalling the WebGate). For more information about what is added, see the appropriate chapter for your Web server.
WebGate IIS Filters: To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand.
Evaluate the Application Domain, resources, and policies associated with this agent and ensure that these are configured to use another agent or that they can be removed.
Turn off the Web server for the WebGate you will remove.
Note:
If you don't turn off the Web server, uninstall might fail and the backup folder will not be removed. If this happens, you need to manually remove the backup folder.On the WebGate registration page in the Oracle Access Management Console, click the Disable box beside the State option to disable the WebGate.
Language Packs: Remove installed Language Packs (except the one selected as the default Administrator language (locale)) as follows:
Locate the appropriate Language Pack file in the component's uninstall directory. For example:
Run the Language Pack Uninstaller program to remove the files.
Repeat this process to remove the same Language Pack from associated components.
Stop and restart WebGate Web server to re-initialize proper language support.
Repeat this process to remove each Language Pack (except the one selected as the default Administrator language (locale)).
Perform the following steps to remove 10g WebGate configuration data:
If you have only one instance of an Access Manager component, complete step 4 to remove it.
If you have multiple instances of a component, see also step 5.
Locate and run the Uninstaller program for the specific component to remove Access Manager files. For example:
WebGate_install_dir\access\_uninstWebGate\uninstaller.exe
Note:
On UNIX systems, use uninstaller.binMultiple Instances: If you have multiple WebGate instances and want to remove one or all of them, you must use a specific method for your platform:
Windows: The last component can be uninstalled from Add/Remove programs. Others can be uninstalled by running the uninstall program from the \access \uninstComponent directory.
UNIX: You must always run uninstaller.bin.
Remove Access Manager-related updates to your Web server configuration. For details about specific Web servers, see Chapter 26, "Configuring Apache, OHS, IHS for 10g WebGates," Chapter 27, "Configuring the ISA Server for 10g WebGates," Chapter 28, "Configuring the IIS Web Server for 10g WebGates,", and Chapter 29, "Configuring Lotus Domino Web Servers for 10g WebGates."
Restart the Web server.
Remove the WebGate_install_dir directory if it remains, especially if you plan to reinstall it.