This chapter describes how to configure the Oracle Web Tier for an Oracle Identity Management enterprise deployment.
This chapter includes the following topics:
Section 10.1, "Overview of Installing and Configuring the Web Tier"
Section 10.5, "Setting the Front End URL for the Administration Console"
This chapter describes how to install Oracle HTTP server and associate the Oracle Web Tier with the WebLogic Server domain. Once the Web tier is associated with the WebLogic Server, you can monitor it using the Oracle Fusion Middleware Console.
You then configure the load balancer to route all HTTP requests to WEBHOST1 and WEBHOST2.
The last section describes how to define the Oracle HTTP Server directives to route requests to the load balancer virtual hosts you defined in Chapter 3, "Preparing the Network for an Enterprise Deployment."
This section contains the following topics:
Before configuring the Oracle Web Tier software, you must install it on WEBHOST1 and WEBHOST2, as described in Section 10.2.3, "Installing Oracle HTTP Server." Run the Configuration Wizard to define the instance home, the instance name, and the Oracle HTTP Server component name.
Ensure that port 7777 (OHS_PORT) is not in use. Because Oracle HTTP Server is installed by default on port 7777, you must ensure that port 7777 is not used by any other service on the nodes. To check if this port is in use, run the following command before installing Oracle HTTP Server. You must free the port if it is in use.
netstat -an | grep 7777
Create a file containing the ports used by Oracle HTTP Server. On Disk1 of the installation media, locate the file stage/Response/staticports.ini
. Copy it to a file called ohs_ports.ini
. Delete all entries in ohs_ports.ini
except for OHS PORT
and OPMN Local Port
. Change the values of those ports to 7777
and 6700
, respectively.
Note:
If the port names in the file are slightly different from OHS PORT
and OPMN Local Port
, use the names in the file.
Install Oracle JRockit on WEBHOST1 and WEBHOST2 as described in Section 8.2.1.1, "Installing Oracle JRockit."
This section explains how to install Oracle HTTP Server on WEBHOST1 and WEBHOST2.
This section contains the following topics:
Prior to installing the Oracle HTTP server, check that your machines meet the following requirements:
Ensure that the system, patch, kernel, and other requirements are met as specified in Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
On Linux platforms, if the /etc/oraInst.loc
file exists, verify that its contents are similar to this:
inventory_loc=/u02/private/oracle/oraInventory inst_group=oinstall
Ensure that the inventory directory is correct and that you have write permissions for that directory.
If the /etc/oraInst.loc
file does not exist, you can skip this step.
As described in Section 4.4, "About Recommended Locations for the Different Directories," you install the Oracle HTTP Server onto a local disk. You can install it on shared storage, but if you do that, you must allow access from the Web Tier DMZ to your shared disk array, which is undesirable. If you decide to install onto shared disk then please see the Release Notes for further configuration information.
Before Starting the install, ensure that the following environment variables are not set on Linux platforms.
LD_ASSUME_KERNEL
ORACLE_INSTANCE
To start Oracle Universal Installer on Linux, change directory to Disk 1 of the installation media and issue the command
./runInstaller
Proceed as follows:
On the Specify Oracle Inventory Directory screen, enter HOME
/oraInventory
, where HOME
is the home directory of the user performing the installation. (This is the recommended location).
Enter the OS group for the user performing the installation.
Click Next.
On the Welcome screen, click Next.
On the Install Software Updates screen, choose whether to skip updates, check with Oracle Support for updates or search for updates locally.
Click Next.
On the Select Installation Type screen, select Install Software –> Do Not Configure
Click Next.
On the Prerequisite Checks screen, click Next.
On the Specify Installation Location screen, specify the following values:
Oracle Middleware Home Location (Installation Location): WEB_MW_HOME
. For example: /u02/private/oracle/products/web
Oracle Home Directory: web
On the Specify Security Updates screen, choose whether to receive security updates from Oracle support.
Click Next.
On the Installation Summary screen, review the selections to ensure that they are correct (if they are not, click Back to modify selections on previous screens), and click Install.
The steps for configuring the Oracle Web Tier are the same for WEBHOST1 and WEBHOST2.
Perform these steps to configure the Oracle web tier:
Change the directory to the location of the Oracle Fusion Middleware Configuration Wizard:
cd WEB_ORACLE_HOME/bin
Start the Configuration Wizard:
./config.sh
Enter the following information into the configuration wizard:
On the Welcome screen, click Next.
On the Configure Component screen, select: Oracle HTTP Server.
Ensure that Associate Selected Components with WebLogic Domain is selected.
Ensure Oracle Web Cache is NOT selected.
Click Next.
On the Specify WebLogic Domain Screen, enter
Domain Host Name: ADMINVHN.mycompany.com
Domain Port No: 7001
, where 7001
is WLS_ADMIN_PORT
in Section B.3.
User Name: Weblogic Administrator User (For example: weblogic
)
Password: Password for the Weblogic Administrator User account
Click Next.
On the Specify Component Details screen, specify the following values:
Enter the following values for WEBHOSTn, where n is 1 or 2:
Instance Home Location: WEB_ORACLE_INSTANCE (/u02/private/oracle/config/instances/web
n
)
Instance Name: web
n
OHS Component Name: ohs
n
Click Next.
On the Configure Ports screen, you use the ohs_ports.ini
file you created in Section 10.2.1, "Prerequisites" to specify the ports to be used. This enables you to bypass automatic port configuration.
Select Specify Ports using a Configuration File.
In the file name field specify ohs_ports.ini
.
Click Browse, then click Next.
In the Specify Security Updates screen, choose whether you want to receive security updates from Oracle support and if you do, enter your e-mail address.
On the Installation Summary screen, review the selections to ensure that they are correct. If they are not, click Back to modify selections on previous screens.
Click Configure.
On the Configuration screen, the wizard launches multiple configuration assistants. This process can be lengthy. When it completes, click Next.
On the Installation Complete screen, click Finish to confirm your choice to exit.
This section describes tasks for configuring Oracle HTTP Server for the WebLogic Domain, and for verifying the configuration. Perform these steps on each web host.
This section includes the following topics:
Section 10.3.1, "Configuring Oracle HTTP Server to Run as Software Owner"
Section 10.3.2, "Update Oracle HTTP Server Runtime Parameters"
Section 10.3.3, "Creating Virtual Hosts to Support Identity Management"
By default, the Oracle HTTP server runs as the user nobody
. In the Identity Management installation, the Oracle HTTP server should run as the Software owner and group.
To cause it to run as the appropriate user and group, edit the file httpd.conf
, which is located in:
WEB_ORACLE_INSTANCE
/config/OHS/
component_name
Find the section in httpd.conf
where User
is defined.
Change this section to read:
User User_who_installed_the_software Group Group_under_which_the_HTTP_server_runs
Group
is typically the default user group, for example: oinstall
.
For example:
<IfModule !mpm_winnt_module> # # If you wish httpd to run as a different user or group, you must run # httpd as root initially and it will switch. # # User/Group: The name (or #number) of the user/group to run httpd as. # . On SCO (ODT 3) use "User nouser" and "Group nogroup". # . On HPUX you may not be able to use shared memory as nobody, and the # suggested workaround is to create a user www and use that user. # NOTE that some kernels refuse to setgid(Group) or semctl(IPC_SET) # when the value of (unsigned)Group is above 60000; # don't use Group #-1 on these systems! # User oracle Group oinstall </IfModule>
By default, the Oracle HTTP Server contains parameter values that are suitable for most applications. These values, however, must be adjusted in IDM Deployments.
Proceed as follows:
Edit the file httpd.conf
, which is located in:
WEB_ORACLE_INSTANCE
/config/OHS/
component_name
/
Find the entry that looks like this:
<IfModule mpm_worker_module>
Update the values in this section as follows:
<IfModule mpm_worker_module> ServerLimit 20 StartServers 2 MaxClients 1000 MinSpareThreads 200 MaxSpareThreads 800 ThreadsPerChild 50 MaxRequestsPerChild 10000 AcceptMutex fcntl LockFile "${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/http_lock" </IfModule>
Save the file.
In order for Oracle HTTP server to service Oracle Identity Management, you must create a number of files to add support for virtual hosts. Each of the files in the following sections creates a virtual host definition and declares a number of URLs which can be accessed from within it. By enclosing the location directives inside the virtual host these locations will only be available when invoked using the virtual host name. For example, you will be able to access the WebLogic console by using the URL http://ADMIN.mycompany.com/console
but not by using the URL: https://SSO.mycompany.com/console
The following sections show sample configuration files for a complete Identity Management deployment. If you are only doing a partial deployment only include those entries applicable to components you are deploying. If you extend your domain at a later date with extra components then you must update the files below with the entries required to support the components you are using.
Before creating virtual host directives, you must enable the Oracle HTTP Server to listen for virtual hosts on the default OHS listen port.
To do this, on each web host, edit the file httpd.conf
, which is located in the directory: WEB_ORACLE_INSTANCE
/config/OHS/
component_name
Locate the line that looks like this:
#NameVirtualHost *:80
Add the following entry to the file, using 7777
or whatever your OHS_PORT value is, and save the file.
NameVirtualHost *:7777
Create the following files on each web host in the directory: WEB_ORACLE_INSTANCE
/config/OHS/
component_name
/moduleconf
Create a file called admin_vh.conf
. This will contain a list of locations which are supported by clients accessing the domain using ADMIN
.mycompany
.com
.
<VirtualHost *:7777> ServerName ADMIN.mycompany.com:80 RewriteEngine On RewriteOptions inherit ServerAdmin you@your.address ################################### ## General Domain Configuration ################################### # Admin Server and EM <Location /console> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WebLogicPort 7001 </Location> <Location /consolehelp> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WebLogicPort 7001 </Location> <Location /em> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WebLogicPort 7001 </Location> ################################################### ## Entries Required by Oracle Entitlements Server ################################################### # APM <Location /apm> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WebLogicPort 7001 </Location> ################################################## ## Entries Required by Oracle Unified Directory ################################################## # OUD ODSM <Location /odsm> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WebLogicPort 7001 </Location> ############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Console <Location /oamconsole> SetHandler weblogic-handler WebLogicHost ADMINVHN.mycompany.com WebLogicPort 7001 </Location> ################################################ ## Entries Required by Oracle Identity Manager ################################################ # OIM self and advanced admin webapp consoles(canonic webapp) <Location /oim> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, xlWebApp - Legacy 9.x webapp (struts based) <Location /xlWebApp> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM self service console <Location /identity> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM Nexaweb WebApp - used for workflow designer and DM <Location /Nexaweb> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> <Location /sysadmin> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> </VirtualHost>
Create a file called sso_vh.conf
. This will contain a list of locations which are supported by clients accessing the domain using SSO.mycompany.com
. These are the main entry points for external users.
<VirtualHost *:7777> ServerName https://SSO.mycompany.com:443 RewriteEngine On RewriteOptions inherit ServerAdmin you@your.address ############################################## ## Entries Required by Oracle Access Manager ############################################## # OAM Configuration <Location /oam> SetHandler weblogic-handler WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAM_JSESSIONID WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100 </Location> # Required if using Oracle Identity Federation <Location /oamfed> SetHandler weblogic-handler WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAM_JSESSIONID WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100 </Location> # Required if using Oracle Identity Federation <Location /sts> SetHandler weblogic-handler WLProxySSL ON WLProxySSLPassThrough ON WLCookieName OAM_JSESSIONID WebLogicCluster IDMHOST1.mycompany.com:14100,IDMHOST2.mycompany.com:14100 </Location> ################################################## ## Entries Required by Oracle Identity Manager ################################################## # OIM, xlWebApp - Legacy 9.x webapp (struts based) <Location /xlWebApp> SetHandler weblogic-handler WLProxySSL ON WLProxySSLPassThrough ON WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM self service console <Location /identity> SetHandler weblogic-handler WLProxySSL ON WLProxySSLPassThrough ON WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> </VirtualHost>
Create a file called idminternal_vh.conf
. This will contain a list of locations which are supported by clients accessing the domain using IDMINTERNAL.mycompany.com
. These entries are used by internal callbacks.
<VirtualHost *:7777> ServerName http://IDMINTERNAL.mycompany.com:80 RewriteEngine On RewriteOptions inherit ServerAdmin you@your.address ################################################# ## Entries Required by Oracle Identity Manager ################################################# # Provide the OIM Managed Server Port <Location /workflowservice> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, SOA Infra <Location /soa-infra> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster SOAHOST1VHN:8001,SOAHOST2VHN:8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, Used for provisioning-callback. <Location /provisioning-callback> SetHandler weblogic-handler WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, SOA Callback webservice for SOD - Provide the SOA Managed Server Ports <Location /sodcheck> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster SOAHOST1VHN:8001,SOAHOST2VHN:8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, SOA Callback <Location /integration> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster SOAHOST1VHN:8001,SOAHOST2VHN:8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, spml xsd profile <Location /spml-xsd> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, spml dsml profile <Location /spmlws> SetHandler weblogic-handler PathTrim /weblogic WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, role-sod profile <Location /role-sod> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, used for Callback service. <Location /callbackResponseService> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOST1VHN:14000,OIMHOST2VHN:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> # OIM, UMS Email Support <Location /ucs> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster SOAHOST1VHN:8001,SOAHOST2VHN:8001 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> <Location /reqsvc> SetHandler weblogic-handler WLCookieName oimjsessionid WebLogicCluster OIMHOSTVHN1.mycompany.com:14000,OIMHOSTVHN2.mycompany.com:14000 WLLogFile "${ORACLE_INSTANCE}/diagnostics/logs/OHS/oim_component.log" </Location> </VirtualHost>
Restart OHS on WEBHOST1 as follows:
WEB_ORACLE_INSTANCE/bin/opmnctl restartproc ias-component=ohs1
Restart OHS on WEBHOST2:
WEB_ORACLE_INSTANCE/bin/opmnctl restartproc ias-component=ohs2
Oracle WebLogic Server Administration Console tracks changes that are made to ports, channels and security using the console. When changes made through the console are activated, the console validates its current listen address, port and protocol. If the listen address, port and protocol are still valid, the console redirects the HTTP request, replacing the host and port information with the Administration Server's listen address and port. When the Administration Console is accessed using a load balancer, you must change the Administration Server's front end URL so that the user's browser is redirected to the appropriate load balancer address.
Setting the front end host and port as described in this section forces all access to the applications deployed in the WebLogic administration server to go through the Oracle HTTP server. This means that, once single sign-on is enabled in the domain, access to administration consoles such as Weblogic Console, and OAM Administration console is under the control of Access Manager.
Note:
Once Single Sign-On is enabled, you can only access applications deployed in the administration server through the Oracle HTTP server. At least one Access Manager managed server must be running.
You cannot start managed servers by using the WebLogic Console until at least one Access Manager managed server has been started. See Section 17.1.3.1, "Starting an Access Manager Managed Server When None is Running" for instructions on starting an Access Manager managed server without using the console
If you do not want to protect applications deployed in the Administration Server with Oracle Single Sign-on, that is, if you want to allow direct access to those applications, bypassing corporate security, you can do so by not setting the front end host and port as described in this section. Oracle does not recommend this.
To make this change, perform the following steps:
Log in to Oracle WebLogic Server Administration Console at the URL:
http://ADMINVHN.mycompany.com:7001/console
, where 7001
is WLS_ADMIN_PORT
, as described in Section B.3.
Click Lock and Edit.
Expand the Environment node in the Domain Structure window.
Click Servers to open the Summary of Servers page.
Select AdminServer(admin) in the Names column of the table. The Settings page for AdminServer(admin) appears.
Click the Protocols tab.
Click the HTTP tab.
Set the Front End Host and Front End HTTP PORT fields to your load balancer address, as follows.
Front End Host: ADMIN.mycompany.com
Front End HTTP PORT: 80 (HTTP_PORT)
Save and activate the changes.
Restart Administration server.
To eliminate redirections, best practice is to disable the Administration console's Follow changes
feature. To do this, log in to the administration console and click Preferences->Shared Preferences. Deselect Follow Configuration Changes and click Save.
Verify that the server status is reported as Running
in the Administration Console. If the server is shown as Starting
or Resuming
, wait for the server status to change to Started
. If another status is reported (such as Admin
or Failed
), check the server output log files for errors. See Section 17.10, "Troubleshooting" for possible causes.
Note:
After restarting the domain and the Oracle HTTP Server, the Oracle HTTP Server should appear as a manageable target in Oracle Enterprise Manager Fusion Middleware Control. To verify this, log in to Fusion Middleware Control. The WebTier item in the navigation tree should show that Oracle HTTP Server has been registered.
After the installation is completed, perform the following validations.
Check that you can access the Oracle HTTP Server by using following URLs:
http://WEBHOST1.mycompany.com:7777/
(where 7777
is the OHS_PORT
, as described in Section B.3)
http://WEBHOST2.mycompany.com:7777/
https://SSO.mycompany.com/
http://IDMINTERNAL.mycompany.com
Validate Access to Oracle Directory Services Manager for Oracle Unified Directory using the URL:
http://ADMIN.mycompany.com/odsm
and create a connection to one of the local Oracle Unified Directory servers.
Validate Access to Oracle Entitlements Server Policy Manager using the URL:
http://ADMIN.mycompany.com/apm
Log in using the WebLogic Administrator account for APM, for example: weblogic
Validate Access to WebLogic Console using the URL
http://ADMIN.mycompany.com/console
Log in using the WebLogic Administrator account, for example: weblogic
.
Validate Access to Oracle Enterprise Manager Fusion Middleware Control using the URL
http://ADMIN.mycompany.com/em
Log in using the WebLogic Administrator account, for example: weblogic
.
Server or Console | URL |
---|---|
Oracle HTTP Server SSO |
|
Oracle HTTP Server Internal |
|
Oracle Directory Services Manager for Oracle Unified Directory |
|
Oracle Entitlements Server Policy Manager |
|
WebLogic Console |
|
Oracle Enterprise Manager Fusion Middleware Control |
|
Back up the Web Tier binaries and Domain Home, as described in Section 17.6.3, "Performing Backups During Installation and Configuration."