30.7 Locating and Installing the Latest 10g WebGate for Access Manager 11g

Use the procedures to install a fresh 10g WebGate for use with Access Manager 11g.

Otherwise, skip this section and proceed as follows:

See Configuring Centralized Logout for 10g WebGate with 11g OAM Servers.

Task overview - Installing the WebGate includes:

  1. Preparing for a Fresh 10g WebGate Installation with Access Manager 11g
  2. Locating and Downloading 10g WebGates for Use with Access Manager 11g
  3. Starting WebGate 10g Installation
  4. Specifying a Transport Security Mode
  5. Specifying WebGate Configuration Details
  6. Requesting or Installing Certificates for Secure Communications
  7. Updating the WebGate Web Server Configuration
  8. Finishing WebGate Installation
  9. Installing Artifacts and Certificates
  10. Confirming WebGate Installation

30.7.1 Preparing for a Fresh 10g WebGate Installation with Access Manager 11g

Before you start off with 10g WebGate installation with Access Manager 11g, ensure that the requirements such as installation location, user accounts, and transfer security mode are met.

Table 30-4 outlines the installation requirements.

Table 30-4 Preparing for 10g WebGate Installation with Access Manager 11g

About the ... Description

Latest Supported WebGates

Always use the latest supported 10g (10.1.4.3) WebGates with Access Manager 11g. However, if the desired 10g (10.1.4.3) WebGate is not provided, use the next latest WebGate (10g (10.1.4.2.0).

See Also: Locating and Downloading 10g WebGates for Use with Access Manager 11g.

Location for installation

Consider:

  • WebGate in front of the application server.

  • Applications using WebLogic Server container-managed security: In front of the WebLogic Application Server in which your application is deployed

User Accounts

The account that is used to install the WebGate is not the account that runs the WebGate:

  • The 10g WebGate should be installed using the same user and group as the Web server.

  • Unix: You can be logged in as root to install the WebGate. The WebGate can be installed using a non-root user if the Web server process runs as a non-root user

Root Level versus Site Level

  • The WebGate can be installed at the root level or the site level.

  • Installing WebGate on multiple virtual sites amounts to only one instance of WebGate.

Transport Security Mode

Ensure that at least one OAM Server is configured to use the same mode as the agent to be installed.

See Also Securing Communication Between OAM Servers and WebGates.

Computer Level or Virtual Web Server Level

The WebGate can be configured to run at either the computer level or the virtual Web server level. Do not install at both the computer level and the virtual Web server levels.

Oracle HTTP Server Web Server:

The 10g WebGate for Oracle HTTP Server is based on open source Apache. WebGate package names include:

  • OHS (based on Apache v1.3)

  • OHS2 (based on Apache v2)

  • OHS11g (based on Apache v2.2 and is not the subject of this chapter)

Apache Web Servers

Access Manager 11g provides a single package for components that support Apache with or without SSL enabled:

Note: For SSL-enabled communication, Access Manager supports Apache with mod_ssl only, not Apache-SSL. mod_ssl is a derivative of, and alternative to, Apache-SSL.

IBM HTTP Server (IHS) v2 Web Servers:

IHS2_WebGate is powered by Apache v2 on IBM-AIX. Access Manager supports IHS v2 and IHS v2 Reverse Proxy servers with or without SSL enabled.

See About Access Manager with Apache and IHS v2 Webgates.

Domino Web Servers:

Before you install the 10g WebGate with a Domino Web server, you must have properly installed and set up the Domino Enterprise Server R5.

See Also: Prerequisites for Configuring Lotus Domino Web Servers for 10g WebGates

IIS Web Servers

Before installing WebGate, ensure that your IIS Web server is not in lock down mode. Otherwise things will appear to be working until the server is rebooted and the metabase re-initialized, at which time IIS will disregard activity that occurred after the lock down.

If you are using client certificate authentication, before enabling client certificates for the WebGate you must enable SSL on the IIS Web server hosting the WebGate.

Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. For example, suppose you install the ISAPI WebGate in Simple or Cert mode on a Windows 2000 computer running the FAT32 file system. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 fleshiest. In this case, these instructions may be ignored.

Each IIS Virtual Web server can have it's own WebGate.dll file installed at the virtual level, or can have one WebGate affecting all sites installed at the site level. Either install the Webgate.dll at the site level to control all virtual hosts or install the Webgate.dll for one or all virtual hosts.

You may also need to install the postgate.dll file at the computer level. The postgate.dll is located in the \WebGate_install_dir.

See Installing the Postgate ISAPI Filter.

If you perform multiple installations, multiple versions of this file may be created which may cause unusual Access Manager behavior. In this case, you should verify that only one webgate.dll and one postgate.dll exist.

See Prerequisites for Configuring the IIS Web Server for 10g WebGates

Removal: To fully remove a WebGate and related filters from IIS, you must do more than simply remove the filters from the list in IIS. IIS retains all of its settings in a metabase file. On Windows 2000 and later, this is an XML file that can be modified by hand. There is also a tool available, MetaEdit, to edit the metabase. MetaEdit looks like Regedit and has a consistency checker and a browser/editor. To fully remove a WebGate from IIS, use MetaEdit to edit the metabase.

ISA Proxy Servers

On the ISA proxy server, all ISAPI filters must be installed within the ISA installation directory. They can be anywhere within the ISA installation directory structure:

  1. Before installing the WebGate on the ISA proxy server:

    Check for general ISAPI filter with ISA instructions on:

    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/isa/isaisapi_5cq8.asp

    Ensure that the internal and external communication layers are configured and working properly.

  2. During installation you will asked if this is an ISA installation; be sure to:

    Indicate that this is an ISA proxy server installation, when asked.

    Specify the ISA installation directory path as the WebGate installation path.

    Use the automatic Web server update feature to update the ISA proxy server during WebGate installation.

  3. After WebGate installation, locate the file configureISA4webgate.bat, which calls a number of scripts and the process to configure the ISA server filters that must be added programmatically.

See Prerequisites for Configuring the ISA Server for 10g WebGates

30.7.2 Locating and Downloading 10g WebGates for Use with Access Manager 11g

Obtain an 10g WebGate, if needed and ensure that you choose the appropriate installation package for your Web server.

To locate and download 10g WebGates for use with Access Manager 11g:

  1. Review the latest Oracle Access Manager 10g certification information on the Oracle Technology Network at:
  2. Go to Oracle Fusion Middleware 11gR1 Software Downloads at:
  3. Click Accept License Agreement, at the top of the page.
  4. From the Access Manager WebGates (10.1.4.3.0) row, click the download link for the desired platform and follow on-screen instructions.
  5. Store the WebGate installer in the same directory with any 10g Access System Language Packs you want to install.
  6. Proceed to Starting WebGate 10g Installation.

30.7.3 Starting WebGate 10g Installation

Regardless of Web server type, the procedure is the same to start WebGate 10g installation. Installation options are identified and can be skipped if they do not apply to your environment.

During WebGate installation, information is saved at specific points. You can cancel WebGate installation processing if needed. However, if you cancel WebGate installation after being informed that the WebGate is being installed, you must uninstall the component.

Note:

On HP-UX and AIX systems, you can direct an installation to a directory with sufficient space using the -is:tempdir path parameter. The path must be an absolute path to a file system with sufficient space.

To start WebGate 10g installation:

  1. On the computer to host WebGate 10g, log in as a user with Web server Administrator privileges.

  2. Stop the Web server instance.

  3. Launch the WebGate installer for your preferred platform, installation mode, and Web server. For example:

    GUI Method:

    Windows— Oracle_Access_Manager10_1_4_3_0_Win32_API_Webgate.exe

    Console Method:

    Solaris—./ Oracle_Access_Manager10_1_4_3_0_sparc-s2_API_Webgate
Linux—./ Oracle_Access_Manager10_1_4_3_0_linux_API_Webgate

    where API refers to the API used by your Web server (for example, ISAPI for IIS Web servers).

  4. Dismiss the Welcome screen; follow on-screen instructions with Administrator privileges.

  5. Specify the installation directory for the WebGate.

  6. Linux or Solaris: Specify the location of the GCC runtime libraries on this computer.

  7. Language Pack—Choose a Default Locale and any other Locales to install, then click Next.

  8. Record the installation directory name in the preparation worksheet if you haven't already, then click Next to continue.

    The WebGate installation begins, which may take a few seconds. On Windows systems, a screen informs you that the Microsoft Managed Interfaces are being configured.

    The installation process is not yet complete. You are asked to specify a transport security mode. At this point, you cannot go back to restate information.

  9. Specify the location where you unzipped the previously downloaded GCC libraries, if needed.

30.7.4 Specifying a Transport Security Mode

Transport security between at least one OAM Server must match.

See Securing Communication Between OAM Servers and WebGates.

To specify a transport security mode:

  1. Choose Open, Simple, or Cert for the WebGate.
  2. Proceed according to your specified transport security mode:

30.7.5 Requesting or Installing Certificates for Secure Communications

You can request or install certificates for WebGate 10g. Requested certificates must be copied to the \WebGate_install_dir\access\oblix\config directory and then the WebGate Web server should be restarted.

If your Access Manager 11g environment uses Open mode transport security, you can skip to the following topic:

See Updating the WebGate Web Server Configuration.

WebGate Certificate Request: Generates the request file (aaa_req.pem), which you must send to a root CA that is trusted by the OAM Server. The root CA returns signed certificates, which can then be installed for WebGate.

See Securing Communication Between OAM Servers and WebGates.

To request or install certificates for WebGate 10g:

  1. Indicate whether you are requesting or installing a certificate, then click Next and continue. For example:

    • Requesting a certificate, proceed with step 2.

    • Installing a certificate, skip to step 3.

  2. Request a Certificate:

    • Enter the requested information, then click Next and issue your request for a certificate to your CA.

    • Record certificate file locations, if these are displayed.

    • Click Yes if your certificates are available and continue with step 3. Otherwise, skip to the following topic:

      See Updating the WebGate Web Server Configuration.

  3. Install a Certificate During Installation: Specify the full paths to the following files, then click Next:

    WebGate_install_dir\access\oblix\config

    • cacert.pem the certificate request, signed by the Oracle-provided openSSL Certificate Authority

    • password.xml contains the random global passphrase that was designated during installation, in obfuscated format. This is used to prevent other customers from using the same CA. Access Manager performs an additional password check during the initial handshake between the OAM Agent and OAM Server.

    • aaa_key.pem contains your private key (generated by openSSL).

    • aaa_cert.pem contains signed certificates in PEM format.

    • Proceed to the following topic:

      See Updating the WebGate Web Server Configuration.

30.7.6 Specifying WebGate Configuration Details

You perform the following task using information provided during WebGate provisioning and registration with Access Manager 11g.

To provide WebGate configuration details:

  1. Provide the information requested for the WebGate as specified in the Access System Console.

    • WebGate ID—Enter the agent name that you supplied during registration.

    • WebGate password—Enter the password supplied during registration, if any. If no password was entered, leave the field blank.

    • Access Server ID—Enter the name of the OAM Server with which this WebGate is registered, if desired, or use any name you choose.

    • Access Server Host Name—Enter the DNS host name for the OAM Server with which this WebGate is registered

    • Port number—Enter the port on which the OAM Proxy is running. If a port was not entered during provisioning, the default port is 3004.

  2. Click Next to continue.

30.7.7 Updating the WebGate Web Server Configuration

Your Web server must be configured to operate with the WebGate. Oracle recommends automatically updating your Web server configuration during installation. However, procedures for both automatic and manual updates are included.

Note:

TTo manually update the Web server configuration:

  1. Click No when asked if you want to proceed with the automatic update, then click Next.

  2. Review the screen that appears to assist you in manually setting up your WebGate Web server.

    See Manually Configuring Your Web Server.

  3. Return to the WebGate installation screen, click Next, and proceed to the following topic:

    See Registering a 10g WebGate with Access Manager 11g Remotely.

To automatically update your Web server configuration:

  1. Click Yes to automatically update your Web server then click Next (or click No and view the following topic:

    See Manually Configuring Your Web Server.

    • Most Web servers—Specify the absolute path of the directory containing the Web server configuration file.

    • IIS Web Servers—The process begins immediately and may take more than a minute.

      See About WebGate Guidelines for IIS Web Servers.

      You might receive special instructions to perform before you continue. Setting various permissions for the /access directory is required for IIS WebGates only when you are installing on a file system that supports NTFS. The last installation panel provides instructions for manually setting various permissions that cannot be set on the FAT32 file system. In this case, these instructions may be ignored.

    • Sun Web Servers—Be sure to apply the changes in the Web server Administration console before you continue.

    A screen announces that the Web server configuration has been updated.

  2. Click Next and continue as follows:

    See Finishing WebGate Installation.

30.7.7.1 Manually Configuring Your Web Server

If, during WebGate installation, you declined automatic Web server updates, you must perform the task manually.

Note:

If the manual configuration process was launched during WebGate installation, you can skip Step 1 in the following procedure.

To manually configure your Web server for the WebGate:

  1. Launch your Web browser, and open the following file, if needed. For example:

    \WebGate_install_dir\access\oblix\lang\langTag\docs\config.htm

    where \WebGate_install_dir is the directory where you installed the WebGate.

    Note:

    If you choose manual IIS configuration during 64-bit WebGate installation, you can access details in the following path

    WebGate_install_dir\access\oblix\lang\en-us\docs\dotnet_isapi.htm

  2. Select from the supported Web servers and follow all instructions, which are specific to each Web server type, as you:

    • Make a back up copy of any file that you are required to modify during WebGate set up, so it is available if you need to start over.

    • Ensure that you return to and complete all original setup instructions to enable your Web server to recognize the appropriate Access Manager files.

      Note:

      If you accidentally closed the window, return to step 1 and click the appropriate link again. Some setups start a new browser window or require you to open a Command window.

  3. Continue as follows:

30.7.8 Finishing WebGate Installation

The ReadMe information provides details about documentation and Oracle.

Note:

You may need to install a 64-bit IIS WebGate.

See Finishing 64-bit Webgate Installation.

To finish the WebGate installation:

  1. Review the ReadMe information, then click Next to dismiss it.
  2. Click Finish to conclude the installation.
  3. Restart your Web server to enable configuration updates to take affect.

    • IIS Web Servers—Consider using net stop iisadmin and net start w3svc after installing the WebGate to help ensure that the Metabase does not become corrupted.

    • Security-Enhanced Linux: Run the chcon commands for the WebGate you just installed on this platform.

  4. Proceed with following topics before installing artifacts and certificates:
  5. Proceed to the following topic:

30.7.9 Installing Artifacts and Certificates

The ObAccessClient.xml file is one result of product of provisioning. After WebGate installation, you must copy the file to the WebGate installation directory path.

If you received signed WebGate 10g certificates after installing WebGate, you can use the following procedure to install these as well.

Prerequisites:

Configure your Web server.

To install artifacts (and certificates) for WebGate 10g:

  1. Copy ObAccessClient.xml

    • From: $WLS_DOMAIN_HOME/output/AGENT_NAME

    • To: $WebGate_install_dir/oblix/lib

    Copy password.xml

    • From: $WLS_DOMAIN_HOME/output/AGENT_NAME

    • To: $WebGate_install_dir/oblix/config

  2. Copy aaa_key.pem and aaa_cert.pem:

    • From: $IDM_DOMAIN_HOME/output/AGENT_NAME

    • To: $WebGate_install_dir/oblix/config/simple

      The simple directory must be created before copying the artifacts.

  3. Restart the WebGate Web server.

30.7.10 Confirming WebGate Installation

After WebGate installation and Web server updates, you can enable WebGate diagnostics to confirm that your WebGate is running properly.

To review WebGate diagnostics:

  1. Confirm Access Manager 11g components are running.
  2. Specify the following URL for WebGate diagnostics. For example:

    Most Web Servers—http(s)://hostname:port/access/oblix/apps/webgate/bin/webgate.cgi?progid=1

    IIS Web Servers—http(s)://hostname:port/access/oblix/apps/ webgate/bin/webgate.dll?progid=1

    where hostname refers to the name of the computer hosting the WebGate; port refers to the Web server instance port number.

  3. The WebGate diagnostic page should appear.