21 Migrating from Domain Agent to Oracle HTTP Server 10g Webgate for OAM

This chapter describes how to migrate from the Domain Agent to Oracle HTTP Server 10g Webgate for Oracle Access Manager (OAM) to protect applications by using the same policy domain used by the Domain Agent. By default, applications deployed in an Oracle Identity and Access Management 11.1.1.5.0 domain are protected by the Domain Agent.

Note:

Read this chapter only if you want to use Oracle HTTP Server 10g Webgate for Oracle Access Manager after setting up integration between Oracle Identity Manager and Oracle Access Manager, as described in the chapter "Integrating Oracle Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.

This chapter discusses the following topics:

21.1 Installing and Configuring Oracle HTTP Server 11g (11.1.1.5.0)

If you do not have an existing Oracle HTTP Server 11g (11.1.1.5.0) installation, you can install Oracle HTTP Server 11.1.1.2.0 and patch it to the latest version 11.1.1.5.0.

Oracle HTTP Server 11.1.1.2.0 is included in the Oracle Web Tier 11g Installer, you must download the Oracle Web Tier 11g (11.1.1.2.0) Installer from the Oracle Technology Network (OTN):

http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html

Alternatively, you can download the latest Oracle Fusion Middleware 11g software from the following website:

http://edelivery.oracle.com/

Note:

For information about installing and configuring Oracle HTTP Server 11g (11.1.1.2.0), see the "Installing Oracle Web Tier" topic in the Oracle Fusion Middleware Installation Guide for Oracle Web Tier. For information about patching Oracle HTTP Server 11.1.1.2.0 to 11.1.1.5.0 using the Patch Set Installer, see the "Applying the Latest Oracle Fusion Middleware Patch Set" topic in the Oracle Fusion Middleware Patching Guide.

After you install and configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.

21.2 Provisioning Oracle HTTP Server 10g Webgate for OAM Profile

For information about provisioning a profile for Oracle HTTP Server 10g Webgate for use with Oracle Access Manager 11g server, see the "Provisioning a 10g WebGate for Use with OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

Note:

Ensure that the hostIdentifier parameter is set to IDMDomain and the autoCreatePolicy parameter is set to false when you are provisioning Oracle HTTP Server 10g Webgate to replace Domain Agent for OAM-OIM integration.

21.3 Installing Oracle HTTP Server 10g Webgate for OAM

For information about installing Oracle HTTP Server 10g Webgate for Oracle Access Manager (OAM), see the "Locating and Installing the Latest OAM 10g WebGate for OAM 11g" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.

21.4 Configuring mod_weblogic

After installing Oracle HTTP Server 10g Webgate for Oracle Access Manager, you must configure the Web server to forward requests to the applications deployed on the WebLogic Server.

Open the mod_wl_ohs.conf, which is located in <OHS_Instance_Home>/config/OHS/<Instance_Name>, in a text editor and add appropriate entries, as in the following example:

<IfModule weblogic_module>
     <Location /oamconsole>
     SetHandler weblogic-handler
     WebLogicHost examplehost.exampledomain.com
     WebLogicPort   6162
     </Location>
     <Location /apmconsole>
     SetHandler weblogic-handler
     WebLogicHost examplehost.exampledomain.com
     WebLogicPort   6162
     </Location>
</IfModule>

Add similar Location entries for all the URIs for all the applications that were previously accessed directly on WebLogic Server.

After making the changes, restart Oracle HTTP Server. You can use the OPMN command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:

<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl stopall

To restart the Oracle HTTP Server instance, run the following commands on the command line:

  1. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl start

  2. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl startproc ias-component=<Oracle_HTTP_Server_Instance_Name>

21.5 Optional: Configuring Host Identifier

This task is required only if you have set up integration between Oracle Identity Manager and Oracle Access Manager.

To configure host identifiers for auto-login functionality, complete the following steps:

  1. Launch the Oracle Access Manager Administration Console (http://<oamserverhost>:<adminport>/oamconsole).

  2. Click the Policy Configuration tab.

  3. On the left navigation pane, click Host Identifiers > IDMDomain. The Host Identifier page is displayed.

  4. In the Operations section on the Host Identifier page, all the host name and port number combinations are listed. Verify whether the section includes the host name and port number of the web server on which the Oracle HTTP Server 10g Webgate is configured.

    If it is not listed, add an entry as follows:

    1. On the Operation section, click the + icon. A new blank row is added to the Operations section.

    2. In the Host Name field, enter the host name of the web server on which the Oracle HTTP Server 10g Webgate is configured.

    3. In the Port field, enter the port number.

    4. Click Apply.

21.6 Updating OIM Server Configuration

Update the Oracle Identity Manager (OIM) configuration in the oam-config.xml file (located in the <DOMAIN_HOME>/config/fmwconfig directory) to ensure that the Host and Port attributes of the IdentityManagement element in the file point to the Oracle HTTP Server on which the Oracle HTTP Server Webgate 10g is configured:

  1. Open the oam-config.xml file in a text editor.

  2. Update the entries as follows:

    <Setting Name="IdentityManagement" Type="htf:map">
          <Setting Name="ServerConfiguration" Type="htf:map">
          <Setting Name="OIM-SERVER-1" Type="htf:map">
          <Setting Name="Host" Type="xsd:string">OHS-HOST</Setting>
          <Setting Name="Port" Type="xsd:integer">OHS-PORT</Setting>
          <Setting Name="SecureMode" Type="xsd:boolean">false</Setting>
          </Setting>
    </Setting>
    

Note:

Ensure that you have set up integration between Oracle Identity Manager and Oracle Access Manager, as described in the topic "Integrating Oracle Access Manager and Oracle Identity Manager" in the Oracle Fusion Middleware Integration Guide for Oracle Access Manager.

After updating OIM Server configuration, you must perform logout configuration as follows:

  1. Copy the logout.html file from the <IDM_ORACLE_HOME>/oam/server/oamsso directory to the <10gWebgateInstallation>/access/oamsso directory.

  2. Edit the SERVER_LOGOUTURL variable in the logout.html file to point to the host and port of the Oracle Access Manager Server. Follow the instructions in the logout.html file.

  3. If the http.conf file of the web server includes the following entries, remove the entries from the http.conf file:

    <LocationMatch "/oamsso/*">     Satisfy any     </LocationMatch>
    

21.7 Optional: Disabling Domain Agent

Domain Agent, which runs on the Administration Server and all Managed Servers in the Oracle Identity and Access Management domain, automatically detects the existence of a Webgate in the request flow. You do not need to disable the Domain Agent. However, if you want to disable the out-of-the-box Domain Agent, you can complete the following steps:

  1. From your present working directory, move to the <MW_HOME>/user_projects/domains/<name_of_your_WebLogic_domain> directory (On UNIX). On Windows, move to the <MW_HOME>\user_projects\domains\<name_of_your_WebLogic_domain> directory.

  2. To disable the Domain Agent running on the Administration Server, start the WebLogic Administration Server on the command line as follows:

    On UNIX:

    ./startWebLogic.sh -DWLSAGENT_DISABLED=true

    On Windows:

    startWebLogic.cmd -DWLSAGENT_DISABLED=true

  3. From your present working directory, move to the <MW_HOME>/user_projects/domains/<name_of_your_WebLogic_domain>/bin directory (On UNIX). On Windows, move to the <MW_HOME>\user_projects\domains\<name_of_your_WebLogic_domain</bin directory.

  4. To disable the Domain Agent running on Managed Servers in the domain, start the Managed Servers on the command line as follows:

    On UNIX:

    ./startManagedWebLogic.sh <name_of_your_Managed_Server> -DWLSAGENT_DISABLED=true

    On Windows:

    startManagedWebLogic.cmd <name_of_your_Managed_Server> -DWLSAGENT_DISABLED=true

21.8 Optional: Updating Oracle Identity Manager Configuration

You can update the <OHS_Instance_Home>/config/OHS/<ohs_name>/mod_wl_ohs.conf to front-end Oracle Identity Manager URLs with Oracle HTTP Server.

To do so, complete the following steps:

Open the mod_wl_ohs.conf file in a text editor and add appropriate entries, as in the following example:

<IfModule weblogic_module>
     WebLogicHost OIM_MANAGED_SERVER_HOST
     WebLogicPort OIM_MANAGED_SERVER_PORT
     MatchExpression /oim*
     MatchExpression /admin*
     MatchExpression /xlWebApp*
     MatchExpression /Nexaweb*
     MatchExpression /workflowservice*
     MatchExpression /callbackService*
     MatchExpression /SchedulerService-web*
     MatchExpression /iam-consoles-faces*
</IfModule>

Replace the values of OIM_MANAGED_SERVER_HOST and OIM_MANAGED_SERVER_PORT with the values of Oracle Identity Manager Managed Server's host and port.

After making the changes, restart Oracle HTTP Server. You can use the OPMN command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:

<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl stopall

To restart the Oracle HTTP Server instance, run the following commands on the command line:

  1. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl start

  2. <Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl startproc ias-component=<Oracle_HTTP_Server_Instance_Name>

Updating the OIM Configuration When the OAM URL or Agent Profile Changes

You can update the Oracle Identity Manager configuration when the name of the agent profile is modified or the OAM URL is modified.

To update Oracle Identity Manager configuration, complete the following steps:

  1. Export the oim-config.xml file from metadata by running <IDM_ORACLE_HOME>/server/bin/weblogicExportMetadata.sh (on UNIX), and export the file - /db/oim-config.xml. On Windows operating systems, you can use the weblogicExportMetadata.bat file located in the same directory.

  2. Update the file to use Oracle HTTP Server 10g Webgate by updating following element under the <ssoConfig> tag:

    <webgateType>javaWebgate</webgateType> to <webgateType>ohsWebgate10g</webgateType>

  3. Import oim-config.xml back to metadata by running <IDM_Home>/server/bin/weblogicImportMetadata.sh on UNIX. On Windows, use the weblogicImportMetadata.bat located in the same directory.

  4. Log in to Oracle Enterprise Manager Fusion Middleware Control using your WebLogic Server administrator credentials.

  5. Click Identity and access > oim > oim(version). Right-click and select System MBean Browser. The System MBean Browser page is displayed.

  6. Under Application Defined MBeans, select oracle.iam > Server:oim_server1 > Application: oim > XMLConfig > config.

  7. Replace the front-end URL with the URL of Oracle HTTP Server. This should be the same Oracle HTTP Server that was used before installing Oracle HTTP Server 10g Webgate for Oracle Access Manager. Complete the following steps:

    1. Under XMLConfig MBean, move to XMLConfig.DiscoveryConfig.

    2. Update OimFrontEndURL with the URL of Oracle HTTP Server.

    3. Click Apply.

  8. Restart the OIM server.