B Using Oracle HTTP Server as a Proxy for Oracle Identity Federation

This appendix explains how to set up Oracle HTTP Server as a proxy server for Oracle Identity Federation.

B.1 Configuring Oracle HTTP Server as Proxy

Note:

Refer to your application server documentation for more information about setting up a proxy server for your environment.

Take these steps to set up an Oracle HTTP Server as a proxy for Oracle Identity Federation:

  1. If not previously created with the IdM installer, create an Oracle HTTP Server component using the following command:

    $AS_ISNT/bin/opmnctl createcomponent -componentType OHS -componentName  $OHS_NAME 
    

    where $AS_ISNT is the directory where the application server instance is installed, and $OHS_NAME is the name of the new Oracle HTTP Server component.

  2. Edit the file $AS_ISNT/config/OHS/$OHS_NAME/moduleconf/oif.conf. If this file is not present, create it with this content:

    # References the WebLogic server or Cluster where OIF is running
    <Location /fed>
        # Standalone install
        # WebLogicHost myweblogic.server.com
        # WebLogicPort 7499
     
        # Clustered install
        # WebLogicCluster w1s1.com:7499,w1s2.com:7499,w1s3.com:7499
     
      SetHandler weblogic-handler
    </Location> 
    
    1. If the IdM install is in stand-alone mode, uncomment and set the WebLogicHost and WebLogicPort variables to reference the WebLogic managed server where Oracle Identity Federation is running.

      # Standalone install
      WebLogicHost OIF-HOST
      WebLogicPort OIF-PORT
      
    2. If the IDM install is in clustered mode, uncomment and set the WebLogicCluster variable to reference the WebLogic managed servers where Oracle Identity Federation is running:.

      # Clustered install
      WebLogicCluster OIF-HOST-1:OIF-PORT-1,OIF-HOST-2:OIF-PORT-2,OIF-HOST-3:OIF-PORT-3
      
  3. If using SSL from the proxy to Oracle Identity Federation, edit the $ORACLE_HOME/ohs/conf/httpd.conf file. Add the following directive:

    WlSSLWallet "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/keystores/default"
    
  4. If you have not already done so, import the certificate of the certificate authority that issued Oracle Identity Federation certificate in this wallet. See Section 8.1, "Configuring SSL for Oracle Identity Federation" for details.

  5. If using SSL with the proxy, follow the instructions in Section 8.1, "Configuring SSL for Oracle Identity Federation". Omit the section about editing the mod_wl.conf file.

  6. Restart Oracle HTTP Server to make the configuration changes effective.

    $AS_ISNT/bin/opmnctl restartproc process-type=OHS
    
  7. Determine the proxy HTTP or HTTPS ports by going to Fusion Middleware Control, locating the Oracle HTTP Server instance, and navigating to Administration, then Ports Configuration. You can test the proxy by invoking:

    HTTP://PROXY-HOST:PROXY_PORT/fed/sp/metadata
    
  8. Reconfigure Oracle Identity Federation to use the proxy host and port for its external URLs. Locate the Oracle Identity Federation instance in Fusion Middleware Control, and navigate to Administration, then Server Properties, then Connection Settings:

    • Host

    • Port

    • SOAP Port

    • SSL Enabled

  9. If using Oracle Access Manager as the identity management system, use the Access System console to update the Fed SSO authentication schemes. In the console, navigate to Access System Configuration, then Authentication Management. Change the Challenge Redirect parameter for each Oracle Identity Federation Authentication scheme to use the proxy host and port.

    See Also:

    Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager 10g for details about the Web-based user interface.
  10. Communicate the changes to partners using this Oracle Identity Federation server, if necessary. Partners using SAML 2.0, SAML 1.x, or Liberty 1.x will need to download new metadata. Partners using WS-Federation will need to manually update their configurations.

  11. If Oracle Identity Federation is integrated with Oracle Single Sign-On, some additional steps are required. Follow the instructions in these sections:

B.2 SSL Configuration for Oracle HTTP Server

To configure SSL between Oracle HTTP Server and Oracle WebLogic Server, refer to: