This chapter provides procedures for changing the network configuration, such as the host name, domain name, or IP address, of an Oracle Fusion Middleware host.
This chapter includes the following topics:
This section describes how to change the host name, domain name, IP address, or any combination of these, of a host that contains the following installation types:
Oracle WebLogic Server. When you change the host name, domain name, or IP address of Oracle WebLogic Server, you also automatically change the information for Java components, such as Oracle SOA Suite and Oracle WebCenter components that are deployed to Oracle WebLogic Server.
Oracle Fusion Middleware Web Tier components, Oracle Web Cache and Oracle HTTP Server. You can change the host name or the IP address.
The following topics describe how to change the host name, domain name, or IP address:
To change the host name, domain name, or IP address of a WebLogic Managed Server:
Display the Administration Console, as described in Section 3.4.1.
In the Change Center, click Lock & Edit.
Create a machine, which is a logical representation of the computer that hosts one or more WebLogic Servers, and point it to the new host. (From the Home page, select Machines. Then, click New.) Follow the directions in the Administration Console help.
You must disable Host Name Verification on Administration Servers that access Node Manager, as described in the Help.
Change the Managed Server configuration to point to the new machine:
From the left pane of the Console, expand Environment and then Servers. Then, select the name of the server.
Select the Configuration tab, then the General tab. In the Machine field, select the machine to which you want to assign the server.
Change Listen Address to the new host.
Click Save.
Start the Managed Server. You can use the Oracle WebLogic Server Administration Console, WLST, or the following command:
DOMAIN_NAME/bin/startManagedWeblogic.sh managed_server_name admin_url username password
The Managed Server connects to the Administration Server and updates its configuration changes.
If you change the host name, domain name or IP address of a host that contains multiple Oracle instances, you must change the network configuration of each Oracle instance that resides on that host. You do not need to make changes to any system component that resides on another host.
You can change the network configuration of Oracle HTTP Server and Oracle Web Cache by using the following command:
(UNIX) ORACLE_HOME/chgip/scripts/chpiphost.sh (Windows) ORACLE_HOME\chgip\scripts\chpiphost.bat
The format of the command is:
chgiphost.sh | chgiphost.bat [-noconfig] [-version] [-help] [ -oldhost old_host_name -newhost new_host_name] [-oldip old_IP_address -newip new_IP_address] -instanceHome Instance_path
The parameters have the following meanings:
noconfig
: The default for changing the network parameters.
version
: Displays the version of the chgiphost tool.
help
: Displays help for the command.
oldhost
: The fully qualified name of the old host. Use this parameter, with newhost
, to change the host name or domain name, or both.
newhost
: The fully qualified name of the new host. Use this parameter, with oldhost
, to change the host name or domain name, or both.
oldip
: The old IP address.
newip
: The new IP address.
instanceHome
: The full path of the Oracle instance.
For example, to change the host name, domain name, and IP address of a host that contains either Oracle HTTP Server or Oracle Web Cache, or both, take the following steps:
Prepare your host for the change:
Perform a backup of your environment before you start this procedure. See Chapter 14.
Shutdown all Oracle Fusion Middleware processes. See Chapter 4.
Update your operating system with the new hostname, domain name, IP address, or any combination of these. Consult your operating system documentation for information on how to perform the following steps.
Make the updates to your operating system to properly change the host name, domain name, or IP address.
Restart the host, if necessary for your operating system.
Verify that you can ping the host from another host in your network. Be sure to ping using the new hostname to make sure everything is resolving properly.
Follow these steps for each Oracle instance that contains Oracle HTTP Server or Oracle Web Cache on your host. Be sure to complete the steps entirely for one Oracle instance before you move on to the next.
Log in to the host as the user that installed Oracle Fusion Middleware.
Run the chgiphost command.
The following example changes the host name from host_a to host_b and the domain name from dom_1 to dom_2 for an Oracle instance named inst_a. It also changes the IP address:
chgiphost.sh -noconfig -oldhost host_a.dom_1 -newhost host_b.dom_2 -oldip old_IP_address -newip new_IP_address -instanceHome /scratch/Oracle/Middleware/inst_a
Restart all Oracle Fusion Middleware processes. See Chapter 4.
This section describes how to change the IP address of a host that contains a metadata repository:
The following sections describe the procedure:
Stop all components that use the Metadata Repository, even if they are on other hosts. Stop the Administration Server, the Managed Servers, and all components, as described in Chapter 4.
Prepare your host for the change by stopping the database:
Set the ORACLE_HOME and ORACLE_SID environment variables.
Shut down the listener and database:
lsnrctl stop sqlplus /nolog SQL> connect SYS as SYSDBA SQL> shutdown SQL> quit
Verify that all Oracle Fusion Middleware processes have stopped.
To make sure Oracle Fusion Middleware processes do not start automatically after a restart of the host, disable any automated startup scripts you may have set up, such as /etc/init.d
scripts.
Update your operating system with the new IP address, restart the host, and verify that the host is functioning properly on your network. Consult your operating system documentation for information on how to perform the following steps:
Make the updates to your operating system to properly change the IP address.
Restart the host, if required by your operating system.
Verify that you can ping the host from another host in your network. Be sure to ping using the new IP address to make sure everything is resolving properly.
Start the database:
Log in to the host as the user that installed the database.
Set the ORACLE_HOME and ORACLE_SID environment variables.
On UNIX systems, set the LD_LIBRARY_PATH, LD_LIBRARY_PATH_64, LIB_PATH, or SHLIB_PATH environment variables to the proper values, as shown in Table 3-1. The actual environment variables and values that you must set depend on the type of your UNIX operating system.
Start the database and listener:
sqlplus /nolog SQL> connect SYS as SYSDBA SQL> startup SQL> quit lsnrctl start
If you use the IP address in the data source definition, change the system data source to use the new IP address for the metadata repository. To do so, you use Oracle WebLogic Server Administration Console:
In the Change Center, click Lock & Edit.
In the Domain Structure section, expand Services, then JDBC, and select Data Sources.
The Summary of JDBC Data Sources page is displayed.
Select the data source you want to change.
The Settings page is displayed.
Select the Connection Pool tab.
To change the IP address, modify the URL field. For example:
jdbc:oracle:thin:@hostname.domainname.com:1522/orcl
Click Save.
Restart the servers that use this data source. (Click the Target tab to see the servers that use this data source.)
Start the components that use the Metadata Repository:
Start all components that use the Metadata Repository, even if they are on other hosts. Start the Administration Server, the Managed Servers, and all components, as described in Chapter 4.
If you disabled any processes for automatically starting Oracle Fusion Middleware at the beginning of this procedure, enable them.
This section describes how to move an Oracle Fusion Middleware host on and off the network. The following assumptions and restrictions apply:
The host must contain an instance that does not use an Infrastructure, or both the middle-tier instance and Infrastructure must be on the same host.
DHCP must be used in loopback mode. Refer to Oracle Fusion Middleware Installation Planning Guide for more information.
Only IP address change is supported; the host name must remain unchanged.
Hosts in DHCP mode should not use the default host name (localhost.localdomain
). The hosts should be configured to use a standard host name and the loopback IP should resolve to that host name.
A loopback adapter is required for all off-network installations (DHCP or static IP). Refer to Oracle Fusion Middleware Installation Planning Guide for more information.
This procedure assumes you have installed Oracle Fusion Middleware on a host that is off the network, using a standard host name (not localhost
), and would like to move on the network and use a static IP address. The IP address may be the default loopback IP, or any standard IP address.
To move on to the network, you can simply connect the host to the network. No updates to Oracle Fusion Middleware are required.
This procedure assumes you have installed on a host that is off the network, using a standard host name (not localhost
), and would like to move on the network and use DHCP. The IP address of the host can be any static IP address or loopback IP address, and should be configured to the host name.
To move on to the network:
Connect the host to the network using DHCP.
Configure the host name to the loopback IP address only.
Follow this procedure if your host is on the network, using a static IP address, and you would like to move it off the network:
Configure the /etc/hosts
file so the IP address and host name can be resolved locally.
Take the host off the network.
There is no need to perform any steps to change the host name or IP address.
This section describes how to change between a static IP address and DHCP. The following assumptions and restrictions apply:
The host must contain all Oracle Fusion Middleware components, including Identity Management components, and any metadata repository associated with those components. That is, the entire Oracle Fusion Middleware environment must be on the host.
DHCP must be used in loopback mode. Refer to Oracle Fusion Middleware Installation Planning Guide for more information.
Only IP address change is supported; the host name must remain unchanged.
Hosts in DHCP mode should not use the default host name (localhost.localdomain
). The hosts should be configured to use a standard host name and the loopback IP should resolve to that host name.
To change a host from a static IP address to DHCP:
Configure the host to have a host name associated with the loopback IP address before you convert the host to DHCP.
Convert the host to DHCP. There is no need to update Oracle Fusion Middleware.
To change a host from DHCP to a static IP address:
Configure the host to use a static IP address.
There is no need to update Oracle Fusion Middleware.
Oracle Fusion Middleware supports Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6.) Among other features, IPv6 supports a larger address space (128 bits) than IPv4 (32 bits), providing an exponential increase in the number of computers that can be addressable on the Web.
An IPv6 address is expressed as 8 groups of 4 hexadecimal digits. For example:
2001:0db8:85a3:08d3:1319:8a2e:0370:7334
Table 12-1 describes support for IPv6 by Oracle Fusion Middleware components. In the table:
The column IPv6 Only shows whether or not a component supports using IPv6 only for all communication.
The column Dual Stack shows whether or not a component supports using both IPv6 and IPv4 for communication. For example, some components do not support using IPv6 only, because some of the communication is with the Oracle Database, which supports IPv4, not IPv6. Those components might support dual stack, allowing for IPv6 communication with other components.
Component | IPv6 Only | Dual Stack | Notes |
---|---|---|---|
Oracle WebLogic Server |
Yes |
Yes |
Most Oracle WebLogic Server plug-ins do not support IPV6. IPv6 is enabled with Oracle HTTP Server with the mod_wl_ohs plug-in. |
Oracle HTTP Server |
Yes |
Yes |
To configure for IPv6, see Section 12.5.2. |
Oracle Web Cache |
Yes |
Yes |
Enabled by default. To disable, see Section 12.5.3. |
Oracle SOA Suite |
No |
Yes |
Requires a dual stack, because Oracle Database requires IPv4 addresses. |
Oracle WebCenter |
No |
Yes |
Requires a dual stack, because Oracle Database requires IPv4 addresses. |
ADF |
Yes |
Yes |
|
Oracle Directory Integration Platform |
Yes |
Yes |
Uses JNDI to communicate with LDAP servers and uses data sources to communicate with the database. JNDI and data sources (JDBC) support IPV6. No additional configuration is necessary. |
Oracle Directory Services Manager |
Yes |
Yes |
Uses JNDI to communicate with LDAP servers and uses data sources to communicate with the database. JNDI and data sources (JDBC) support IPV6. No additional configuration is necessary. |
Oracle Identity Federation |
No |
Yes |
Requires a dual stack, because Oracle Database requires IPv4 addresses. |
Oracle Internet Directory |
No |
Yes |
Requires a dual stack, because Oracle Database requires IPv4 addresses. See "Managing IP Addresses" in the Oracle Fusion Middleware Administrator's Guide for Oracle Internet Directory. |
Oracle Platform Security Services |
No |
Yes |
Requires a dual stack, because Oracle Database requires IPv4 addresses. |
Oracle Virtual Directory |
No |
Yes |
Requires a dual stack, because Oracle Database requires IPv4 addresses. See Oracle Fusion Middleware Administrator's Guide for Oracle Virtual Directory. |
Oracle Single Sign-On Server |
No |
No |
Uses Oracle HTTP Server proxy, which can be configured for IPv6. Oracle Single Sign-On must be Release 10.1.4.3. See Section 12.5.4. |
Oracle Portal |
No |
No |
Uses Oracle HTTP Server reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6. See "Configuring Reverse Proxy Servers" in the Oracle Fusion Middleware Administrator's Guide for Oracle Portal for more information. |
Oracle Forms Services |
No |
No |
Uses reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6. |
Oracle Reports |
No |
No |
Uses reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6. |
Oracle Business Intelligence Discoverer |
No |
No |
Uses reverse proxy to communicate with Oracle HTTP Server or Oracle Web Cache, which can be configured for IPv6. |
The following topics provide more information about Oracle Fusion Middleware support for IPv6:
The following topologies for IPv4 and IPv6 are supported (dual-stack means that the host is configured with both IPv4 and IPv6):
Topology A:
Oracle Database on IPv4 protocol host
Oracle WebLogic Server on dual-stack host
Clients on IPv4 protocol host
Clients on IPv6 protocol host
Topology B:
Oracle Database on IPv4 protocol host
One or more of the following components on dual-stack hosts: Oracle WebLogic Server, Oracle SOA Suite, Oracle WebCenter, Oracle Business Activity Monitoring, Fusion Middleware Control
Oracle HTTP Server with mod_wl_ohs on IPv6 protocol host
Topology C:
Database, such as MySQL, that supports IPv6 on IPv6 protocol host
Oracle WebLogic Server on IPv6 protocol host
Clients on IPv6 protocol host
Topology D:
Oracle Database on IPv4 protocol host
One or more of the following components on dual-stack hosts: Identity Management, Oracle SOA Suite, Oracle WebCenter, Oracle Business Activity Monitoring, Fusion Middleware Control
Clients on IPv4 protocol host
Clients on IPv6 protocol host
Topology E:
Oracle Database on IPv4 protocol host
One or more of the following components on IPv4 protocol host: Oracle Portal, Oracle Forms Services, Oracle Reports, Oracle Business Intelligence Discoverer, and Oracle Single Sign-On Release 10.1.3.4
Oracle HTTP Server with mod_proxy on dual-stack host
Clients on IPv6 protocol host
Topology F:
Oracle Access Manager Release 10.1.4.3 and applications, such as SOA composite applications on IPv4 protocol host
Oracle HTTP Server with mod_proxy on dual-stack host
Clients on IPv6 protocol host
Topology G:
Oracle Database on IPv4 protocol host
One or more of the following components on IPv4 protocol host: Oracle SOA Suite, Oracle WebCenter, Oracle Business Activity Monitoring, Fusion Middleware Control on IPv4 protocol host
Oracle HTTP Server with mod_wl_ohs on dual-stack host
Clients on IPv6 protocol host
See Also:
The section "Using IPv6" in the Oracle Fusion Middleware Administrator's GuideTo configure Oracle HTTP Server to communicate using IPv6, you modify configuration files in the following directory:
ORACLE_INSTANCE/config/OHS/ohs_name
For example, to configure Oracle HTTP Server to communicate with Oracle WebLogic Server on hosts that are running IPv6, you configure mod_wl_ohs. You edit the configuration files in the following directory:
ORACLE_INSTANCE/config/OHS/ohs_name
In the files, specify either the resolvable host name or the IPv6 address in one of the following parameters:
WebLogicHost hostname | [IPaddress] WebCluster [IPaddress_1]:portnum1, [IPaddress_2]:portnum2, [IPaddress_3]:portnum3, ...
You must enclose the IPv6 address in brackets.
Any errors are logged in the Oracle HTTP Server logs. To generate more information, set the mod_weblogic directives Debug All and WLLogFile path. Doing so will log module-specific messages.
Note the following limitations:
Dynamic clusters are supported only on IPv4 nodes, or in a mixed cluster where each node is configured with a resolvable host name (instead of an IP address or a blank) in the Listen Address.
To change the Listen Address, use the Oracle WebLogic Server Administration Console and edit the Listen Address in the Server: Configuration: General page, as described in the Oracle WebLogic Server Administration Console help.
If the cluster contains IPv6 nodes and the host names are not resolvable, the cluster must be static, not dynamic. To set the cluster to static, change the DynamicServerList to Off. If you add or delete any cluster members, you must manually update the configuration file and restart Oracle HTTP Server.
To change the DynamicServerList to Off, edit the Oracle HTTP Server configuration files.
By default, IPv6 support is enabled for Oracle Web Cache. You can disable it in the webcache.xml file, which is located in the following directory:
(UNIX) ORACLE_INSTANCE/config/WebCache/webcache_name (Windows) ORACLE_INSTANCE\config\WebCache\webcache_name
In the file, change the value of the IPV6 element to "No". For example:
<IPV6 enabled="NO"/>
Oracle Single Sign-On Server supports IPv4. However, you can configure Oracle Single Sign-On Server to work with clients that support IPv6 by setting up a proxy server and a reverse proxy.
The steps in this section assume that you have installed Oracle Single Sign-On Server Release 10.1.4.3 and a proxy server such as Oracle HTTP Server that acts as a front end to the Oracle Single Sign-On Server.
Take the following steps to configure Oracle Single Sign-On to work with clients that support IPv6:
Run the ssocfg script on the single sign-on middle tier. This script changes the host name stored in the single sign-on server to the proxy host name. Use the following command syntax, entering values for the protocol, host name, and port of the proxy server:
(UNIX) $ORACLE_HOME/sso/bin/ssocfg.sh http proxy_server_name proxy_port (Windows) %ORACLE_HOME%\sso\bin\ssocfg.bat http proxy_server_name proxy_port
Update the targets.xml file on the single sign-on middle tier. The file is located in:
(UNIX) ORACLE_HOME/sysman/emd (Windows) ORACLE_HOME\sysman\emd
Open the file and find the target type oracle_sso_server
. Within this target type, locate and edit the three attributes that you passed to ssocfg:
HTTPMachine—the HTTP server host name
HTTPPort—the SSL port number of the Oracle HTTP server
HTTPProtocol—the server protocol
Add the lines that follow to the httpd.conf file on the single sign-on middle tier. The file is at ORACLE_HOME/Apache/Apache/conf. These lines change the directive ServerName from the name of the actual server to the name of the proxy:
KeepAlive off ServerName proxy_host_name Port proxy_port
Note that if you are using SSL, the port must be an SSL port such as 4443.
(SSL only) If you have configured SSL communication between just the browser and the proxy server, configure mod_certheaders on the middle tier. This module enables the Oracle HTTP Server to treat HTTP proxy requests that it receives as SSL requests. Add the lines that follow to httpd.conf. You can place them at the end of the file. Where they appear is unimportant.
Enter this line to load the module:
(UNIX) LoadModule certheaders_module libexec/mod_certheaders.so (Windows) LoadModule certheaders_module modules/ApacheModuleCertHeaders.dll
If you are using Oracle Web Cache as a proxy, enter this line:
AddCertHeader HTTPS
If you are using a proxy other than Oracle Web Cache, enter this line:
SimulateHttps on
Reregister mod_osso on the single sign-on middle tier. This step configures mod_osso to use the proxy host name instead of the actual host name. For example, on Linux:
$ORACLE_HOME/sso/bin/ssoreg.sh -oracle_home_path ORACLE_HOME -site_name example.mydomain.com -config_mod_osso TRUE -mod_osso_url http://example.mydomain.com
Update the Distributed Configuration Management schema:
ORACLE_HOME/dcm/bin/dcmctl updateconfig
Restart the single sign-on middle tier:
ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=HTTP_Server ORACLE_HOME/opmn/bin/opmnctl restartproc process-type=OC4J_SECURITY
Log in to the single sign-on server, using the single sign-on login URL:
http://proxy_host_name:proxy_port/sso/
This URL takes you to the single sign-on home page. If you are able to log in, you have configured the proxy correctly.
If you have not already done so, install Oracle HTTP Server 11g Release 1 (11.1.1) to use as a reverse proxy for IPv6.
Change the Oracle HTTP Server 11g Release 1 (11.1.1) configuration to enable reverse proxy:
Stop Oracle HTTP Server:
opmnctl stopproc ias-component=component_name
Edit the following file:
(UNIX) ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf (Windows) ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
Append the following to the httpd.conf file:
#---Added for Mod Proxy ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /sso http://OHS_host:OHS_port/sso ProxyPass / http://OHS_host:OHS_port/ ProxyPassReverse / http://OHS_host:OHS_port/ ProxyPreserveHost On
In the example, OHS_host and OHS_port are the host name and port of the front-end server for Oracle Single Sign-On, discussed in Step 1.
Restart the Oracle HTTP Server. For example, to restart ohs1:
opmnctl startproc ias-component=ohs1
Oracle Access Manager supports Internet Protocol Version 4 (IPv4). Oracle Fusion Middleware supports Internet Protocol Version 4 (IPv4) and Internet Protocol Version 6 (IPv6). IPv6 is enabled with Oracle HTTP Server with the mod_wl_ohs plug-in.
You can configure Oracle Access Manager to work with clients that support IPv6 by setting up a reverse proxy server. Several scenarios are provided here. Be sure to choose the right configuration for your environment.
Figure 12-1 illustrates simple authentication with Oracle Access Manager configured to use the IPv6/IPv4 proxy.
Note:
In a WebGate profile, an IPv6 address cannot be specified. In a WebGate profile, the virtual host name must be specified as a host name, for example, myapphost.foo.com, not as an IP address.Figure 12-1 Simple Authentication with the IPv6/IPv4 Proxy
As illustrated in Figure 12-1, the IPv6 network communicates with the IPv6/IPv4 proxy, which in turn communicates with the Oracle HTTP Server and WebGate using IPv4. WebGate, Oracle Access Manager servers, and Oracle WebLogic Server with the Authentication provider all communicate with each other using IPV4.
Figure 12-2 illustrates configuration with a single IPv6 to IPv4 proxy (even though myssohost and myapphost could use separate proxies).
Note:
In a WebGate profile, the virtual host name must be specified as a host name, for example, myapphost.foo.com, not as an IP address. The redirect host name, for example, myssohost.foo.com must also be specified as a host name and not an IP address. The IPv6 address cannot be specified in a WebGate profile.Figure 12-2 IPv6 with an Authenticating WebGate and Challenge Redirect
As illustrated in Figure 12-2, the IPv6 network communicates with the IPv6/IPv4 proxy, which in turn communicates with the Oracle HTTP Server using IPv4. WebGate, Oracle Access Manager server, and Oracle WebLogic Server with the Identity Asserter all communicate with each other using IPV4.
You should be able to access the application from a browser on the IPv4 network directly to the IPv4 server host name and have login with redirect to IPv6 myssohost.foo.com.
The following considerations apply to each intended usage scenario:
IP validation does not work by default. To enable IP validation, you must add the IP address of the Proxy server as the WebGate's IPValidationException parameter value in the Access System Console.
IP address-based authorization does not work because all requests come through one IP (proxy IP) that would not serve its purpose.
Regardless of the manner in which you plan to use Oracle Access Manager with IPv6 Clients, the following tasks should be completed before you start:
Install an Oracle HTTP Server instance to act as a reverse proxy to the Web server (required for WebGate).
Install and complete the initial set up of Oracle Access Manager (Identity Server, WebPass, Policy Manager, Access Server, WebGate) as described in Oracle Access Manager Access Administration Guide.
Configuring your environment for simple authentication with Oracle Access Manager using the IPv6/IPv4 proxy is described in the procedure in this section. See Figure 12-1 for a depiction of this scenario.
The configuration in this procedure is an example only. In the example, OHS_host and OHS_port are the host name and port of the actual Oracle HTTP Server with WebGate. You must use values for your environment.
Note:
For this configuration you must use the Web server on which the WebGate is deployed as the Preferred HTTP host in the WebGate profile. You cannot use the IPv6 proxy name.To configure IPv6 with simple authentication:
Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server to enable reverse proxy:
Stop Oracle HTTP Server with the following command:
opmnctl stopproc ias-component=component_name
Edit the following file:
(UNIX) ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf (Windows) ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
Append the following to the httpd.conf file:
#---Added for Mod Proxy <IfModule mod_proxy.c> ProxyRequests Off ProxyPreserveHost On ProxyPass /http://OHS_host:OHS_port/ ProxyPassReverse /http://OHS_host:OHS_port/ </IfModule>
Restart Oracle HTTP Server using the following command:
opmnctl startproc ias-component=component_name
Log in to the Access System Console. For example:
http://hostname:port/access/oblix
In the example, hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.
The Access System main page appears.
Click Access System Configuration, and then click AccessGate Configuration.
The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.
Select the search attribute and condition from the lists (or click All to find all AccessGates), and then click Go.
Click an AccessGate's name to view its details.
Click Modify.
For Preferred HTTP Host, specify the Web server name on which WebGate is deployed as it appears in all HTTP requests. The host name within the HTTP request is translated into the value entered into this field regardless of the way it was defined in a user's HTTP request.
To enable IP validation, add the IP address of the proxy server as the value of the IPValidationException parameter.
Click Save.
Use the procedure in this section to configure your environment to use Oracle Access Manager with the IPv6/IPv4 proxy and an authenticating WebGate and challenge redirect. Figure 12-2 shows a depiction of this scenario.
The following procedure presumes a common proxy for both form-based authentication and the resource WebGate. For example, suppose you have the following configuration:
Resource WebGate is installed on http://myapphostv4.foo.com/
Resource is on http://myapphostv4.foo.com/testing.html
Authenticating WebGate is on http://myssohostv4.foo.com/
Login form is http://myssohostv4.foo.com/oamsso/login.html
Reverse Proxy URL is http://myapphost.foo.com/
Note:
For this configuration, the Preferred HTTP host must be the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphost4.foo.com must use myapphost4.foo.com as the Preferred HTTP host. You cannot use the IPv6 proxy name.In the following procedure, you configure the Oracle HTTP Server, configure WebGate profiles to use the corresponding Oracle HTTP Server as the Preferred HTTP host, and configure the form-based authentication scheme with a challenge redirect value of the reverse proxy server URL (http://myapphost.foo.com/
in this example).
Be sure to use values for your own environment.
To configure IPv6 with an authenticating WebGate and challenge redirect:
Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server, as follows:
Stop Oracle HTTP Server with the following command:
opmnctl stopproc ias-component=component_name
Edit the following file:
UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
Append the following information for your environment to the httpd.conf file. For example:
<IfModule mod_proxy.c> ProxyRequests On ProxyPreserveHost On #Redirect login form requests and redirection requests to Authentication WebGate ProxyPass /obrareq.cgi http://myssohostv4.foo.com/obrareq.cgi ProxyPassReverse /obrareq.cgi http://myssohostv4.foo.com/obrareq.cgi ProxyPass /oamsso/login.html http://myssohostv4.foo.com/oamsso/login.html ProxyPassReverse /oamsso/login.html http://myssohostv4.foo.com/oamsso/login .html ProxyPass /access/sso http://myssohostv4.foo.com/ /access/sso ProxyPassReverse /access/sso http://myssohostv4.foo.com/access/sso # Redirect resource requests to Resource WG ProxyPass /http://myapphostv4.foo.com / ProxyPassReverse /http://myapphostv4.foo.com / </IfModule>
Restart Oracle HTTP Server using the following command:
opmnctl startproc ias-component=component_name
In the Access System Console, set the Preferred HTTP host for each WebGate as follows:
Log in to the Access System Console. For example:
http://hostname:port/access/oblix
In the example, hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.
The Access System main page appears.
Click Access System Configuration, and then click AccessGate Configuration.
The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.
Select the search attribute and condition from the lists (or click All to find all AccessGates), and then click Go.
Click an AccessGate's name to view its details.
Click Modify.
For Preferred HTTP Host specify the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphostv4.foo.com must use myapphostv4.foo.com as the Preferred HTTP host.
To enable IP validation, add the IP address of the Proxy server as the value of the IPValidationException parameter.
Click Save.
Repeat for each WebGate and specify name of the Oracle HTTP Server Web server that is configured for this WebGate.
From the Access System Console, modify the Form authentication scheme to include a challenge redirect to the Proxy server, as follows:
Click Access System Configuration, and then click Authentication Management.
Click the name of the scheme to modify, and then click Modify.
Configure the challenge redirect value to the Proxy server URL. In this example, the Proxy server URL is http://myapphost.foo.com/
Click Save.
In this configuration you have multiple proxies: for example a separate proxy for the authentication WebGate and another proxy for the resource WebGate. You can access the application from a browser on the IPv4 network directly to an IPv4 server host name with a login redirect to an IPv6 host. For example:
Resource WebGate is on http://myapphostv4.foo.com/
Authenticating WebGate is on http://myssohostv4.foo.com
Proxy used for myapphostv4.foo.com should be myapphostv4.foo.com
Proxy used for myssohostv4.foo.com should be myssohostv4.com
Note:
You cannot use the IPv6 proxy name as the Preferred HTTP host in a WebGate profile.In the example, OHS_host and OHS_port are the host name and port of the actual Oracle HTTP Server that is configured for WebGate. Be sure to use values for your own environment.
To configure IPv6 with a separate proxy for authentication and resource WebGates:
Configure Oracle HTTP Server 11g Release 1 (11.1.1) or any other server for multiple proxies, as follows:
Stop Oracle HTTP Server with the following command:
opmnctl stopproc ias-component=component_name
Edit the following file:
UNIX: ORACLE_INSTANCE/config/OHS/ohs_name/httpd.conf Windows: ORACLE_INSTANCE\config\OHS\ohs_name\httpd.conf
Append the following information for your environment to the httpd.conf file. For example:
<IfModule mod_proxy.c> ProxyRequests Off ProxyPreserveHost On ProxyPass /http://OHS_host:OHS_port ProxyPassReverse /http://OHS_host:OHS_port </IfModule>
Restart Oracle HTTP Server using the following command:
opmnctl startproc ias-component=component_name
In the Access System Console, set the Preferred HTTP host for each WebGate as follows:
Log in to the Access System Console. For example:
http://hostname:port/access/oblix
In the example, hostname refers to computer that hosts the WebPass Web server; port refers to the HTTP port number of the WebPass Web server instance; /access/oblix connects to the Access System Console.
The Access System main page appears.
Click Access System Configuration, and then click AccessGate Configuration.
The Search for AccessGates page appears. The Search list contains a selection of attributes that can be searched. Remaining fields allow you to specify search criteria that are appropriate for the selected attribute.
Select the search attribute and condition from the lists (or click All to find all AccessGates), and then click Go.
Click an AccessGate's name to view its details.
Click Modify.
For Preferred HTTP Host specify the name of the Oracle HTTP Server Web server that is configured for this WebGate. For instance, a WebGate deployed on myapphostv4.foo.com must use myapphostv4.foo.com as the Preferred HTTP host.
To enable IP validation, add the IP address of the Proxy server as the value of the IPValidationException parameter.
Click Save.
Repeat for each WebGate and specify name of the Oracle HTTP Server Web server that is configured for this WebGate.
From the Access System Console, modify the Form authentication scheme to include a challenge redirect to the Proxy server, as follows:
Click Access System Configuration, and then click Authentication Management.
Click the name of the scheme to modify, and then click Modify.
Configure the challenge redirect value to the Proxy server URL that acts as a reverse proxy for the authentication WebGate. In this example, the Proxy server URL is http://myssohost.foo.com/
Click Save.