5 Installing WebPass

The WebPass is second in the sequence of Oracle Access Manager components to install. This chapter explains how to install the WebPass and configure your Web server to work with it. For details, see:

• About WebPass and Installation

• WebPass Prerequisites Checklist

• Installing the WebPass

• Manually Configuring Your Web Server

• Establishing Communication with the Identity Server

• Confirming WebPass Installation

See Also: "Confirming Certification Requirements"

5.1 About WebPass and Installation

The WebPass is a Web server plug-in that shuttles information back and forth between the Web server and the Identity Server as described in the Oracle Access Manager Introduction. (A WebPass must also be installed with each Policy Manager as discussed in "Identity System Guidelines".)

Installing a WebPass follows a similar sequence and includes a number of the same procedures as the Identity Server installation. However, the following exceptions apply to WebPass:

• WebPass does not communicate with the directory server. Therefore, no directory server details are requested during WebPass installation.

• WebPass does communicate with a Web server.

  Be sure to choose the proper package for your Web server and platform. The Web server configuration must be updated. Oracle recommends that you accept the automatic update during WebPass installation.

Important: WebPass cannot reside in the same directory as the Identity Server (or Policy Manager). For example, if the Identity Server is installed in C:\OracleAccessManager\, consider installing the WebPass in C:\OracleAccessManager\WebComponent.

Task overview: Installing a WebPass

1. Install the WebPass and specify a unique identifier for WebPass (different than Identity Server identifier), as described in .

2. Conclude with the appropriate procedures for your installation. For example:

   • Manually Configuring Your Web Server (if you don't do this automatically during installation)

   • Verifying WebPass Permissions on IIS in Chapter 19

   • Confirming WebPass Installation

The installation process is similar regardless of the installation method you choose and your operating system. Differences for specific operating systems and Web servers are noted within the installation procedures when appropriate. Again, any caveats are identified and may be skipped when they do not apply to your environment.

During WebPass installation on a Windows system, you will not be asked to specify a Windows Service name. Rather than starting and stopping a WebPass service, you will start and stop the WebPass Web server.

5.1.1 About Installing Multiple WebPass Instances

If you plan to install multiple WebPass instances, pay close attention to the following items:

• Oracle Access Manager supports one WebPass for each Web server instance. This means that each WebPass instance must have its own Web server instance.

• All WebPass instances must be installed with the same transport security mode as the Identity Server to which they are connecting.

• You must have at least one WebPass instance installed before you can perform the Identity Server setup described in Chapter 6, "Setting Up the Identity System".

• After the first Identity Server is set up, you can install any number of WebPass instances. For each additional WebPass, you must add information about the new instance in the Identity System Console. For details and instructions, see the Oracle Access Manager Identity and Common Administration Guide.

5.2 WebPass Prerequisites Checklist

Before you begin installing the WebPass, check the tasks in Table to ensure they have been completed. Failure to complete prerequisites may adversely affect your Oracle Access Manager installation

Table 5-1 WebPass Installation Prerequisites Checklist

Checklist	WebPass Installation Prerequisites
	Review and complete all prerequisites and requirements that apply to your environment, as described in Part I, "Installation Planning and Prerequisites"
	Complete all activities in Chapter 4, "Installing the Identity Server".
	Review Web server specific details in: Meeting Web Server Requirements Chapter 16, "Configuring Apache v1.3-based Web Servers for Oracle Access Manager" Chapter 17, "Configuring Web Components for Apache v2-based Web Servers" Chapter 18, "Setting Up Lotus Domino Web Servers for WebGates" Chapter 19, "Installing Web Components for the IIS Web Server"

5.3 Installing the WebPass

Refer to your completed installation preparation worksheets as you install the WebPass. The procedures in this sequence cover both GUI and console method. Following the program launch, one set of procedures will be provided because the sequence is similar.

The following procedures must be completed to install the WebPass:

Task overview: Installing a WebPass

1. Choosing the installation method and initiating the process as described in "Starting the Installation"

2. Choosing a transport security option for WebPass as discussed in "Specifying a Transport Security Mode"

3. Identifying WebPass configuration details as described in "Specifying WebPass Configuration Details"

4. Performing automatic Web server configuration updates as explained in "Updating the WebPass Web Server Configuration"

5. Completing the process as discussed in "Finishing the WebPass Installation"

5.3.1 Starting the Installation

Be sure to choose the appropriate installation package for your Web server and review Web server-specific details as described in Table 5-1.

To start the WebPass installation

1. Log in as a user with administrator privileges.

2. Locate the WebPass installer (including any Identity System Language Packs you want to install) in the temporary directory you created.

3. Launch the WebPass installer for your preferred platform, installation method, and Web server. For example:

   • GUI Method

     Windows: Oracle_Access_Manager10_1_4_3_0_Win32_API_WebPass.exe

   • Console Method

     Solaris: ./ Oracle_Access_Manager10_1_4_3_0_sparc-s2_API_WebPass

     The Welcome screen appears.

4. Dismiss the Welcome screen by clicking Next.

5. Respond to the question about administrator rights based upon your platform. For example:

6. Choose the installation destination, then click Next. For example:

   \OracleAccessManager\Webcomponent

7. Language Pack: Choose a Default Locale to use for the Administrator language and any other Locales to install, then click Next.

   A summary identifies the installation directory and required disk space and asks you to make a note of this information for future reference.

8. Write the installation directory name, if needed, then click Next to continue.

   You are notified that the WebPass is being installed and kept informed about the status of the process, which may take several seconds. On Windows systems, the Microsoft Managed Interfaces are also being configured.

   You are asked to specify a transport security mode to use between the WebPass and Identity Server. At this point, you cannot return to restate the installation directory.

5.3.2 Specifying a Transport Security Mode

Transport security between all Identity System components (Identity Servers and WebPass instances) must match: either all open, all Simple mode, or all Cert. For more information, see "Securing Oracle Access Manager Component Communications".

To specify a transport security mode

1. Choose the same transport security mode for the WebPass as you did for the Identity Server.

2. Click Next.

   When you specify Simple or Cert, you will be asked for additional information later. You are asked now for WebPass configuration details.

5.3.3 Specifying WebPass Configuration Details

Now, you are asked to enter a unique name to use for this WebPass, which will appear in the Identity System Console after setup.

Each WebPass must have a unique name that identifies it. The WebPass name you specify cannot contain any blank spaces and must uniquely identify this WebPass in the Identity System Console and LDAP directory.

You are also asked to identify the DNS hostname and port number of a Identity Server with which this WebPass should communicate. In addition, you may be asked to specify additional information about the transport security mode you selected when you selected either Simple or Certificate mode only.

To specify WebPass configuration details

1. Enter a unique name for this WebPass that adheres to the preceding guidelines. For example:

   WebPass_1014_1_72

2. Enter the DNS hostname of the Identity Server with which this WebPass should communicate. For example:

   Identity_DNS_hostname

3. Enter the port number of the Identity Server with which this WebPass should communicate, then click Next. For example:

   Identity_port

4. Perform the following operations according to the transport security mode you chose earlier.

   • Open: Skip to .

   • Simple: Specify and confirm the Pass Phrase to authenticate between the Identity Server and WebPass, click Next, then continue with .

   • Certificate: Continue with step 5.

5. Certificate: Indicate if you are requesting or installing a certificate, then click Next and continue as follows:

   • If you are requesting a certificate, enter information about your organization, click Next, issue the request to your CA, and continue with step 6.

   • If you are installing a certificate, skip to step 8.

6. Request Certificate: Record the location of the private key and certificate request files, if displayed, then click Next.

7. Request Certificate: Click Yes if your certificates are available (otherwise click No), then click Next and continue with step 8.

   If certificates are not ready, complete the installation. When you receive the certificates, copy these to the \WebPass_install_dir\identity\oblix\config directory and restart the WebPass Web server.

   
   

   Note: With an IIS Web server, consider using net stop iisadmin and net start w3svc to stop and start IIS after installing WebPass. This is a good way to ensure that the Metabase does not become corrupted. For more information, see Chapter 19, "Installing Web Components for the IIS Web Server".

   
   

8. Install Certificate: Specify the full paths to the requested files, then click Next and continue with .

You are notified that the WebPass is being configured, which may take a few seconds. The information has been saved and you may not return to previous screens to restate details.

You are now asked to update the WebPass Web server configuration.

5.3.4 Updating the WebPass Web Server Configuration

Your WebPass Web server must be configured with product-related configuration information to use the WebPass component. You can direct this update to occur either automatically or manually. Updating the Web server configuration:

• On Sun Web servers a configuration update involves updating the obj.conf and magnus.conf files.

• On IIS Web servers a configuration update involves updating the Web server directly by adding the ISAPI filter and creating extensions required by Oracle Access Manager. For more information, see Chapter 19, "Installing Web Components for the IIS Web Server".

• On Apache Web servers a configuration update involves updating the httpd.conf file. For more information, see Chapter 16, "Configuring Apache v1.3-based Web Servers for Oracle Access Manager" or Chapter 17, "Configuring Web Components for Apache v2-based Web Servers".

Oracle recommends automatically updating your Web server configuration. However, instructions for manual configuration are included.

To automatically update your Web server configuration

1. Click Yes to automatically update your Web server, then click Next. For example:

   • Most Web Servers: Specify the absolute path of the directory containing the Web server configuration files.

   • IIS Web Servers: The process begins immediately and may take more than a minute. For more information, see Chapter 19, "Installing Web Components for the IIS Web Server".

   A screen appears when the Web server configuration has been updated.

2. Sun Web Servers: Apply the changes in the Web server Administration console before you continue.

3. Stop the WebPass Web server instance, then stop the Identity Server service.

4. Start the Identity Server service, then start the WebPass Web server instance.

   
   

   Note: With IIS, using net stop iisadmin and net start w3svc are good ways to stop and start the Web server after installing WebPass, to ensure that the Metabase does not become corrupted. For more information, see Chapter 19, "Installing Web Components for the IIS Web Server".

   
   

5. Click Next to dismiss the announcement, then continue with .

   ReadMe information appears.

To manually update your Web server configuration

1. Click No when asked if you want to proceed with the automatic update, then click Next.

   ReadMe information appears along with a new screen to assist you in manually setting up your Web server for Oracle Access Manager.

2. Return to the WebPass installation screen and click Next to finish the installation.

3. Complete .

5.3.5 Finishing the WebPass Installation

The ReadMe information provides details about documentation and Oracle.

To finish the WebPass installation

1. Review the ReadMe information.

2. Click Next to complete the installation.

3. Continue with the following procedures, as needed:

   • Security-Enhanced Linux: Run the chcon commands for the WebPass you just installed on this platform:

     
     

     See Also: "SELinux Issues".

     
     

   • Native POSIX Thread Library: When installing Oracle Access Manager Web components for use with NPTL, there is no need to set the environment variable LD_ASSUME_KERNEL to 2.4.19.

     
     

     See Also: "NPTL Requirements and Post-Installation Tasks".

     
     

   • Manually Configuring Your Web Server if you did not do this automatically during WebPass installation.

   • Verifying WebPass Permissions on IIS in Chapter 19

   • Establishing Communication with the Identity Server

   • Confirming WebPass Installation

   • Chapter 6, "Setting Up the Identity System"

5.4 Manually Configuring Your Web Server

If you do not want the installation wizard to update your Web server configuration during WebPass installation, you must do it manually before you set up the Identity Server.

Note: You complete step 1 only if needed to display online instructions.

To configure your Web server for the WebPass

1. Launch your Web browser, and open the following file, if needed. For example:

   \WebPass_install_dir\identity\oblix\lang\langTag\docs\config.htm

   where \WebPass_install_dir is the directory where you installed the WebPass and langTag is a language, en-us, for example.

2. Select the appropriate Web server interface configuration protocol from the table on the screen

3. Follow all instructions specific to your Web server type and:

   • Make a back up copy of any file that you are required to modify during Web server set up, so it is available if you need to start over.

   • Some setups launch a new browser window or require you to launch a Command window to input information, so ensure that you return to and complete all original setup instructions to enable your Web server to recognize the appropriate Oracle Access Manager files.

   
   

   Note: If you accidentally close the window, you can open the \WebPass_install_dir\identity\oblix\apps\common\docs\config.htm file in a browser window and click the appropriate link again.

   
   

4. Continue with the appropriate task for your environment when you finish your Web server update. For example:

   • Verifying WebPass Permissions on IIS in Chapter 19

   • Confirming WebPass Installation

   • Security-Enhanced Linux: Errors might be reported in Web server logs/console when starting a Web server on Linux distributions that have stricter SELinux policies in place after installing an Oracle Access Manager Web component. You can avoid these errors by running appropriate chcon commands for the installed Web component before restarting the Web server.

     
     

     See Also: "SELinux Issues"

     
     

5.5 Establishing Communication with the Identity Server

After installation, you must establish communications between WebPass and its Identity Server when the Web server restarts using the following procedure.

To establish communications between WebPass and its Identity Server

1. Stop the WebPass Web server instance.

2. Stop then restart Identity Server service.

3. Start the WebPass Web server instance.

5.6 Confirming WebPass Installation

A good way to ensure that the WebPass is installed correctly is to complete the following procedure.

To confirm your WebPass installation

1. Make sure your Identity Server and WebPass Web server are running.

2. Navigate to the Identity System Console from your browser by specifying the following URL. For example:

        http://hostname:port/identity/oblix
   

   where hostname refers to computer that hosts the Web server; port refers to the HTTP port number of the WebPass Web server instance; /identity/oblix connects to the Identity System Console.

   The Identity System landing page should appear.

Note: Do not select any link on the Identity System landing page, because the system has not yet been set up. See Chapter 6, "Setting Up the Identity System".