This chapter describes how to install and configure Apache (2.2.x) 11g Release 2 WebGate for Oracle Access Manager. For an introduction to WebGates and an overview of installing WebGates, see Chapter 1.
This document contains the following sections:
Section 4.1, "Installation Overview of Apache (2.2.x) 11g WebGate"
Section 4.2, "Prerequisites for Installing Apache (2.2.x) 11g WebGate"
Section 4.4, "Post-Installation Steps for Apache (2.2.x) 11g WebGate"
Section 4.5, "Verifying the Installation and Configuration of Apache (2.2.x) 11g WebGate"
Section 4.6, "Getting Started with a New Apache (2.2.x) 11g WebGate"
Section 4.7, "Starting the Apache (2.2.x) Web Server and Accessing the Apache (2.2.x) Resource"
Section 4.9, "Silent Installation for Apache (2.2.x) 11g WebGate"
Installing Apache (2.2.x) 11g WebGate for Oracle Access Manager involves the following steps:
Installing the Apache (2.2.x) web server
Installing Apache (2.2.x) 11g WebGate for Oracle Access Manager
Completing the post-installation configuration steps
Verifying the Apache (2.2.x) 11g WebGate installation
Registering the new WebGate agent
This section contains the following topics:
The Oracle Fusion Middleware Supported System Configurations document provides certification information for Oracle Fusion Middleware, including supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0).
You can access the Oracle Fusion Middleware Supported System Configurations document at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
You must have Java runtime environment (JRE) 1.6 or higher installed.
If you are installing Apache (2.2.x) 11g WebGate on a 64-bit platform, ensure that you have a 64-bit JRE.
For information about installing and configuring Apache (2.2.x), see the Apache Web Server product documentation.
For information about installing Oracle Access Manager (OAM), see "Installing and Configuring Oracle Identity and Access Management (11.1.2.1.0)" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
For information about configuring Oracle Access Manager in a new or existing WebLogic administration domain, see "Configuring Oracle Access Manager" in the Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
In addition, see "Securing Communication" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager for information about configuring Oracle Access Manager in Open, Simple, or Cert mode.
If you are using Windows 2003 or Windows 2008 64-bit operating systems, you must install Microsoft Visual C++ 2005 libraries on the machine hosting the Apache (2.2.x) 11g WebGate for Oracle Access Manager.
These libraries are included in the Microsoft Visual C++ 2005 SP1 Redistributable Package (x64), which can be downloaded from the following website:
In addition, install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update, which can be downloaded from the following website:
This section contains the following topics:
For information about obtaining the Apache (2.2.x) 11g WebGate software, see the Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
To start the installation wizard, do the following:
Go to the directory in which you extracted the contents of the Installer.
Go to the following location:
cd Disk1
Run the following command:
On UNIX
./runInstaller -jreLoc JRE_Location
On Windows
setup.exe -jreLoc JRE_Location
Specify the JRE/JDK location when prompted. Ensure that you provide the complete path to a 64-bit JRE/JDK if you are installing on a 64-bit platform and 32-bit JRE/JDK if you are installing on a 32-bit platform.
After the Installer starts, the Welcome screen is displayed. Proceed with the installation by referring to Section 4.3.
To install Apache (2.2.x) 11g WebGate for Oracle Access Manager, follow the instructions in Table 4-1.
If you need additional help with any of the installation screens, click Help to access the online help.
Table 4-1 Installation Flow of Apache WebGate
| No. | Screen | Description and Action Required |
|---|---|---|
|
1 |
Welcome Screen |
Click Next to continue. |
|
2. |
My Oracle Support Update Screen |
Specify the update option or select Skip Software Updates. Click Next to continue. |
|
3. |
Prerequisite Checks Screen |
Click Next to continue. |
|
4. |
Specify Installation Location Screen |
Specify the Oracle home directory locations. For more information about these directories, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in the Oracle Fusion Middleware Installation Planning Guide. Click Next to continue. |
|
5. |
Installation Summary Screen |
Verify the information on this screen. Click Install to begin the installation. |
|
6. |
Installation Progress Screen |
Click Next to continue. |
|
7. |
Installation Complete Screen |
Click Finish to dismiss the Installer. |
This section contains the following topics:
Create an Apache (2.2.x) 11g WebGate instance by using the deployWebGateInstance.sh tool from the WebGate Oracle home directory. The WebGate instance directory that you are creating or have provided must be empty.
To deploy the WebGate instance, do the following:
Go to the WebGate_Oracle_Home/webgate/apache/tools/deployWebGate directory by running the following command:
cd WebGate_Oracle_Home/webgate/apache/tools/deployWebGate
Run the following command:
./deployWebGateInstance -w WebGate_Instancedir -oh WebGate_Oracle_Home -ws WebServer
In the preceding command:
WeGate_Instancedir is the directory in which the new WebGate instances should be created.
WebGate_Oracle_Home is the WebGate Oracle home directory you specified while installing Apache (2.2.x) 11g WebGate.
WebServer is Apache.
Example:
./deployWebGateInstance -w /home/wg_instance4Apache22 -oh /home/Oracle_OAMWebGate1/ -ws apache
Set the environment variable LD_LIBRARY_PATH on Linux and Solaris, and LIBPATH on AIX to WebGate_Oracle_Home/webgate/apache/lib.
Example:
On Linux and Solaris
export LD_LIBRARY_PATH=/home/Oracle_OAMWebGate1/webgate/apache/lib
On AIX
export LIBPATH=/home/Oracle_OAMWebGate1/webgate/apache/lib
On Windows 2008 R2 +
From the Control Panel, go to System and Security, and then System.
Select Advance system settings and then select Environment Variable.
Update the Path System variable with WebGate_Oracle_Home/webgate/apache/lib directory.
To run the EditHttpConf tool, do the following:
Go to the WebGate_Oracle_Home/webgate/apache/tools/setup/InstallTools directory, by running the following command:
cd WebGate_Oracle_Home/webgate/apache/tools/setup/InstallTools
Run the following command:
./EditHttpConf -f path_to_webserver_config_file -w WebGate_Instance_Dir -oh WebGate_Oracle_Home -ws WebServer
In the preceding command:
path_to_webserver_config_file is the full path of the Apache (2.2.x) instance httpd.conf file.
WebGate_Instance_Dir is the directory in which the new WebGate instance is created.
WebGate_Oracle_Home is the full path to the WebGate Oracle home.
WebServer is Apache.
Note:
The -oh parameter is optional and the command runs without any error, even if you do not specify it.
Example:
cd /home/OAMWebGate1/webgate/apache/tools/setup/InstallTools/
./EditHttpConf -f /home/instanceHome1/net-test_apache/config/test_httpd.conf -oh /home/Oracle_OAMWebGate1/ -w /home/Oracle_OAMWebGate1/wg_instance4Apache/ -ws apache
After installing Apache (2.2.x) 11g WebGate for Oracle Access Manager, you can examine the installDATE-TIME_STAMP.out log file to verify the installation. The default log is available in the following location:
WebGate_Home/oraInst.loc
Before you can use the new Apache (2.2.x) 11g WebGate agent for Oracle Access Manager, you must complete the following tasks:
You can register the new Apache (2.2.x) 11g WebGate agent with Oracle Access Manager by using the Oracle Access Manager Administration console. For more information, see "Registering an OAM Agent Using the Console" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management.
Alternatively, you can use the RREG command-line tool to register a new WebGate agent. You can run the tool in two modes: In-Band and Out-Of-Band.
This section contains the following topics:
To set up the RREG tool, complete the following steps:
After installing and configuring Oracle Access Manager, go to the following directory:
Oracle_IDM2/oam/server/rreg/client
Untar the RREG.tar.gz file.
Example:
gunzip RREG.tar.gz
tar -xvf RREG.tar
The tool for registering the agent is located at:
RREG_Home/bin/oamreg.sh
Note:
RREG_Home is the directory in which you extracted the contents of RREG.tar.gz/rreg.
Set the following environment variables in the oamreg.sh script:
OAM_REG_HOME
Set this variable to the absolute path to the directory in which you extracted the contents of RREG.tar/rreg.
JDK_HOME
Set this variable to the absolute path to the directory in which Java or JDK is installed on your machine.
You must update the agent parameters, such as agentName, in the OAM11GRequest.xml file in the RREG_Home/input directory.
Note:
The OAM11GRequest.xml file or the short version OAM11GRequest_short.xml is used as a template. You can copy this template file and use it.
Modify the following required parameters in the OAM11GRequest.xml file or in the OAM11GRequest_short.xml file:
serverAddress
Specify the host and the port of the OAM Administration Server.
agentName
Specify any custom name for the agent.
agentBaseUrl
Specify the host and the port of the machine on which Apache 11g WebGate is installed.
preferredHost
Specify the host and the port of the machine on which Apache 11g WebGate is installed.
security
Specify the security mode, such as open, based on the WebGate installed.
primaryServerList
Specify the host and the port of Managed Server for the Oracle Access Manager proxy, under a Server container element.
After modifying the file, save and close it.
If you run the RREG tool once after updating the WebGate parameters in the OAM11GRequest.xml file, the files and artifacts required by WebGate are generated in the following directory:
RREG_Home/output/agent_name
Note:
You can run RREG either on a client machine or on the server. If you are running it on the server, then you must manually copy the artifacts back to the client.
Complete the following steps:
Open the OAM11GRequest.xml file, which is in the input directory at RREG_Home/input/. RREG_Home is the directory where you extracted the contents of RREG.tar.gz/rreg to. Edit the XML file and fill in parameters for the new Apache WebGate for Oracle Access Manager.
Run the following command:
./RREG_Home/bin/oamreg.sh inband input/OAM11GRequest.xml
If you are an end-user with no access to the server, then you can email your updated OAM11GRequest.xml file to the system administrator, who can run RREG in the out-of-band mode. You can collect the generated AgentID_Response.xml file from the system administrator and run RREG on this file to obtain the WebGate files and artifacts you require.
After you receive the generated AgentID_Response.xml file from the administrator, you must manually copy the file to the input directory on your machine.
Complete the following steps:
If you are an end-user with no access to the server, open the OAM11GRequest.xml file, which is in RREG_Home/input/.
RREG_Home is the directory in which you extracted the contents of RREG.tar.gz/rreg. Edit this XML file and specify parameters for the new Apache WebGate for Oracle Access Manager. Send the updated file to your system administrator.
If you are an administrator, copy the updated OAM11GRequest.xml file, which is in the RREG_Home/input/ directory.
This is the file that you received from the end-user. Go to your (administrator's) RREG_Home directory and run the following command:
./RREG_Home/bin/oamreg.sh outofband input/OAM11GRequest.xml
An Agent_ID_Response.xml file is generated in the output directory on the administrator's machine, in the RREG_Home/output/directory. Send this file to the end user who sent you the updated OAM11GRequest.xml file.
If you are an end-user, copy the generated Agent_ID_Response.xml file, which is in the RREG_Home/input/ directory.
This is the file that you received from the administrator. Go to your (client's) RREG home directory and run the following command:
./RREG_Home/bin/oamreg.sh outofband input/Agent_ID_Response.xml
Note:
If you register the WebGate agent by using the Oracle Access Manager Administration Console, as described in "Registering an OAM Agent Using the Console" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager, then you must manually copy the files and artifacts generated after the registration from the server (the machine on which the Oracle Access Manager Administration Console is running) to the client machine. The files and artifacts are generated in the MW_HOME/user_projects/domains/name_of_the_WebLogic_domain_for_OAM/output/Agent_ID directory.
Regardless of the method or mode you use to register the new WebGate agent, the following files and artifacts are generated in the RREG_Home/output/Agent ID directory:
cwallet.sso
ObAccessClient.xml
In SIMPLE mode, RREG generates:
password.xml, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be the same as the passphrase used on the server.
aaa_key.pem
aaa_cert.pem
In CERT mode, RREG generates password.xml file, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.
Note:
You can use these files generated by RREG to generate a certificate request and get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existing aaa_cert.pem and aaa_chain.pem files along with password.xml and aaa_key.pem.
After RREG generates these files and artifacts, you must manually copy the following files, based on the security mode you are using, from the RREG_Home/output/Agent_ID directory to the WebGate_Instance_Home directory.
Do the following according to the security mode you are using:
In OPEN mode, copy the following files from the RREG_Home/output/Agent_ID directory to the WebGate_Instance_Home/webgate/config directory:
ObAccessClient.xml
cwallet.sso
In SIMPLE mode, copy the following files from the RREG_Home/output/Agent_ID directory to the WebGate_Instance_Home/webgate/config directory:
ObAccessClient.xml
cwallet.sso
password.xml
In addition, copy the following files from the RREG_Home/output/Agent_ID directory to the WebGate_Instance_Home/webgate/config/simple directory:
aaa_key.pem
aaa_cert.pem
In CERT mode, copy the following files from the RREG_Home/output/Agent_ID directory to the WebGate_Instance_Home/webgate/config directory:
ObAccessClient.xml
cwallet.sso
password.xml
After copying the files, you must either generate a new certificate or migrate an existing certificate.
You can generate a new certificate as follows:
Go to the WebGate_Home/webgate/apache/tools/openssl directory.
Create a certificate request as follows:
./openssl req -utf8 -new -nodes -config openssl_silent_ohs11g.cnf -keyout aaa_key.pem -out aaa_req.pem -rand WebGate_Home/webgate/apache/config/random-seed
Self-sign the certificate as follows:
./openssl ca -config openssl_silent_ohs11g.cnf -policy policy_anything -batch -out aaa_cert.pem -infiles aaa_req.pem
Copy the following generated certificates to the WebGate_Instance_Home/webgate/config directory:
aaa_key.pem
aaa_cert.pem
cacert.pem located in the simpleCA directory
Note:
After copying the cacert.pem file, you must rename the file to aaa_chain.pem.
Migrating an Existing Certificate
If you want to migrate an existing certificate (aaa_key.pem, aaa_cert.pem, and aaa_chain.pem), then ensure that you use the same passphrase which you used to encrypt aaa_key.pem. You must enter the same passphrase during the RREG registration process. If you do not use the same passphrase, then the password.xml file generated by RREG will not match the passphrase used to encrypt the key.
If you enter the same passphrase, then you can copy these certificates as follows:
Go to the WebGate_Instance_Home/webgate/config directory.
Copy the following certificates to the WebGate_Instance_Home/webgate/config directory:
aaa_key.pem
aaa_cert.pem
aaa_chain.pem
Before you start the web server, ensure that you have set the environment variable as specified in Section 4.2.
To start the Apache (2.2.x) web server, run the following command:
/home/Apache/bin/apachectl -k start
After you start the Apache (2.2.x) web server, log in by using the following URL:
http://machine_name.my.company.com:port
WebGate intercepts the request and redirects you to the Oracle Access Manager console. Enter the username and password, and you are redirected to the Apache WebServer.
You should always use the instructions provided in this section for removing the Apache (2.2.x) 11g WebGate for Oracle Access Manager. If you try to remove the software manually, then you may experience problems when you try to reinstall the software again at a later time. Following the procedures in this section will ensure that the software is properly removed.
To deinstall the WebGate agent, do the following:
Go to the MW_HOME/WebGate_Home/oui/bin directory on UNIX, and MW_HOME\Webgate_home\oui\bin on Windows.
Run the following command:
On UNIX:
./runInstaller -deinstall
On Windows:
setup.exe -deinstall -jreLoc JRE_LOCATION
Ensure that you specify the absolute path to your JRE_LOCATION; relative paths are not supported.
After the deinstaller starts, the Welcome screen is displayed. Proceed with the deinstallation by referring to Section 4.8.
Follow the instructions in Table 4-2 to complete the deinstallation.
If you need additional help with any of the deinstallation screens, then click Help to access the online help.
| Sl. No. | Screen | Description | Action Required |
|---|---|---|---|
|
1. |
Welcome |
Each time the deinstaller starts, the Welcome screen is displayed. |
Click Next. |
|
2. |
Deinstall Oracle Home |
The Deinstall Oracle Home screen shows the Oracle home you are about to deinstall. |
Verify the Oracle home you are about to deinstall. Click Deinstall. On the Warning screen, select whether or not you want the deinstaller to remove the Oracle home directory in addition to removing the software. Click Yes to have the deinstaller remove the software and Oracle home, No to remove only the software, or Cancel to return to the previous screen. If you select No, see Section 4.8.2 for instructions on how to manually remove your Oracle home directory. |
|
3. |
Deinstallation progress |
The Deinstallation Progress screen shows the progress and status of the deinstallation. |
Wait until the Deinstallation Complete screen appears. |
|
4. |
Deinstallation Complete |
The Deinstallation Complete screen appears when the deinstallation is complete. |
Click Finish to dismiss the screen. |
If you have selected No on the warning screen during deinstallation, then you must manually remove your Webgate_Home directory and any sub-directories. For example: if your Oracle WebGate home directory was /home/Oracle/Middleware/Oracle_OAMWebGate1, run the following command:
cd /home/Oracle/Middleware/
rm -rf Oracle_OAMWebGate1
On Windows, if your Oracle Common home directory is C:\Oracle\Middleware\Oracle_OAMWebGate1, then use a file manager window, go to the C:\Oracle\Middleware directory, right-click on the Oracle_OAMWebGate1 folder, and then select Delete.
To run the Apache (2.2.x) 11g WebGate in silent mode, complete the following steps:
Set the contents of the silent.rsp file. For example:
[ENGINE] #DO NOT CHANGE THIS. Response File Version=1.0.0.0.0 [GENERIC] ORACLE_HOME=/home/MW_HOME/Apache_Webgate_home CONFIG_WIZARD_RESPONSE_FILE_LOCATION=0 ORACLE HOME FREE SPACE=0 SKIP_SOFTWARE_UPDATES=true [SYSTEM] [APPLICATIONS] [RELATIONSHIPS]
In the preceding file, the parameters are as follows:
ORACLE_HOME: Provide the Oracle home location. This is the directory in which you want to install the new Apache (2.2.x) 11g WebGate. The location must be an immediate child folder under the specified Middleware home location. The Oracle home directory name can contain only alphanumeric, hyphen (-), dot (.), and underscore (_) characters, and must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. For example, home/middleware/apache_webgate.
MW_HOME: Specify the full path to your Middleware home directory.
Extract the contents of the installer to a directory.
Run the following command:
WebGate_Installer_Directory/Disk1/runInstaller -jreLoc jre_location -invPtrLoc Absolute_Path_Of_the_oraInst.loc_file -silent -response Absolute_Path_Of_the_silent.rsp_file
In the preceding command:
WebGate_Installer_Directory is the absolute path to the directory in which you have extracted the contents of the WebGate installer.
jre_location is the absolute path to the JRE directory.
Absolute_Path_Of_the_oraInst.loc_file is the absolute path to the oraInst.loc file.
Absolute_Path_Of_the_silent.rsp_file is the absolute path to the silent.rsp file you created.