This chapter describes how to install and configure Apache 11g WebGate for Oracle Access Manager. For an introduction to WebGates and an overview of installing WebGates, see Chapter 1.
This chapter contains the following sections:
Installing Apache 11g WebGate for Oracle Access Manager includes the following steps:
Installing the Apache web server
Installing Apache 11g WebGate for Oracle Access Manager
Completing the post-installation configuration steps
Verifying the Apache11g WebGate installation
Registering the new WebGate agent
This section discusses the following topics:
The Oracle Fusion Middleware Supported System Configurations document provides certification information for Oracle Fusion Middleware, including supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0).
You can access the Oracle Fusion Middleware Supported System Configurations document at:
http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html
You must have a 64-bit Java runtime environment (JRE), 1.7 or higher installed.
For information about installing and configuring Apache 2.2 and 2.4, see the Apache product documentation.
For information about installing Oracle Access Manager (OAM), see "Installing and Configuring Oracle Identity and Access Management (11.1.2.2.0)" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
For information about configuring Oracle Access Manager in a new or existing WebLogic administration domain, see "Configuring Oracle Access Management" in Oracle Fusion Middleware Installation Guide for Oracle Identity and Access Management.
In addition, see "Securing Communication Between OAM 11g Servers and WebGates" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager for information about configuring Oracle Access Manager in Open, Simple, or Cert mode.
This section includes the following topics:
For information about obtaining the Apache 11.1.2.2.0 WebGate software, see Oracle Fusion Middleware Download, Installation, and Configuration ReadMe.
To start the installation wizard, do the following:
Go to the directory in which you extracted the contents of the Installer.
Go to the following location:
cd Disk1
Run the following command:
On UNIX:
./runInstaller -jreLoc <location_of_jre>
On Windows:
setup.exe -jreLoc <location_of_jre>
Run the following command to deploy WebGate instance:
deployWebGateInstance.bat -w c:\haripnar\MW_HOME\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\haripnar\MW_HOME\Oracle_OAMWebGate1
On Windows, we do not set LD_LIBRARY_PATH, instead update the path variable:
set PATH=<Oracle_OAMWebGate1/webgate/apache/lib>;%PATH%
i.e., Add a semicolon (;) followed by this path at the end of the entry for the path environment variable.
After the Installer starts, the Welcome screen appears. Continue by referring to the section Installation Flow and Procedure of Apache 11g WebGate for installing Apache 11g WebGate for Oracle Access Manager.
To install Apache 11g WebGate for Oracle Access Manager, follow the instructions in Table 5-1.
If you need additional help with any of the installation screens, click Help to access the online help.
Table 5-1 Installation Flow of Apache WebGate
No. | Screen | Description and Action Required |
---|---|---|
1 |
Welcome Screen |
Click Next to continue. |
2 |
Prerequisite Checks Screen |
Click Next to continue. |
3 |
Specify Installation Location Screen |
Specify the Middleware home and Oracle home locations. For more information about these directories, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in Oracle Fusion Middleware Installation Planning Guide. Oracle home in case of Apache WebGate is any valid directory, not necessarily in the Middleware home. So, if you do not provide a Middleware home or if you provide an invalid Middleware home, the Installer proceeds without any error. Click Next to continue. |
4 |
Installation Summary Screen |
Verify the information on this screen. Click Install to begin the installation. |
5 |
Installation Progress Screen |
Click Next to continue. |
6 |
Installation Complete Screen |
Click Finish to dismiss the Installer. |
This section includes the following topics:
Create an Apache instance by using the deployWebGateInstance.sh
tool from the Webgate Oracle home directory.
To deploy the WebGate instance, do the following:
Go to the WebGate_Oracle_Home
/webgate/apache/tools/deployWebGate
directory by running the following command:
cd
WebGate_Oracle_Home
/webgate/apache/tools/deployWebGate
Run the following command:
./deployWebGateInstance -w
WebGate_Instancedir
-oh
WebGate_Oracle_Home
-ws
apache
In this command:
WebGate_Instancedir
is the directory in which the new WebGate instances should be created.
WebGate_Oracle_Home
is the WebGate Oracle home directory you specified while installing Apache 11g WebGate.
Web server is Apache.
Example:
./deployWebGateInstance.sh -w /home/wg_instance4apache/ -oh /home/Oracle_OAMWebGate1/ -ws apache
For Apache webgate, you must set the PRELOAD
flag for AIX and Solaris platforms:
On AIX:
export LDR_PRELOAD64=libclntsh.so
On Solaris:
export LD_PRELOAD_64=
webgate_install_home
/lib/libclntsh.so.11.1:
webgate_install_home
/lib/libnnz11.so
Set the environment variable:
On Linux, Sparc, and Solaris:
export LD_LIBRARY_PATH=/webgate_oracle_home/Oracle_OAMWebGate1/webgate/apache/lib
On AIX:
export LIBPATH=/webgate_oracle_home/Oracle_OAMWebGate1/webgate/apache/lib
To run the EditHttpConf
tool, do the following:
Go to the WebGate_Oracle_Home
/webgate/apache/tools/setup/InstallTools
directory by running the following command:
cd
WebGate_Oracle_Home
/webgate/apache/tools/setup/InstallTools
Run the following command:
On UNIX:
./EditHttpConf -f
path_to_webserver_config_file
-w
WebGate_Instance_Dir
-oh
WebGate_Oracle_Home
-ws
WebServer
On Windows:
EditHttpConf.exe -f
path_to_webserver_config_file
-w
WebGate_Instance_Dir
-oh
WebGate_Oracle_Home
-ws
WebServer
-o
output_file
In the preceding command:
path_to_webserver_config_file
is the full path of the Apache instance obj.conf
file.
WebGate_Instance_Dir
is the directory in which new WebGate instances are created.
WebGate_Oracle_Home
is the full path to the WebGate Oracle home.
WebServer
is apache
or apache24
, depending on your Apache version. If you are installing on Apache 2.2, use apache
and if you are installing on Apache 2.4, use apache24
.
Example:
On Apache 2.2:
cd /home/OAMWebGate1/webgate/apache/tools/setup/InstallTools/
./EditHttpConf -f /home/webserver-apache22/conf/httpd.conf -oh /home/Webgate_Oracle_Home/ -w /home/webgate_instance4Apache/ -ws apache
On Apache 2.4:
cd /home/OAMWebGate1/webgate/apache/tools/setup/InstallTools/
./EditHttpConf -f /home/webserver-apache24/conf/httpd.conf -oh /home/Webgate_Oracle_Home/ -w /home/webgate_instance4Apache/ -ws apache24
After installing Apache 11g WebGate for Oracle Access Manager, you can examine the installDATE-TIME_STAMP.out
log file to verify the installation. The default location of the log is in the following file:
WebGate_Home
/oraInst.loc
Before you can use the new Apache 11g WebGate for Oracle Access Manager, you must complete the following tasks:
You can register the new WebGate with Oracle Access Manager by using the Oracle Access Manager Administration Console. For more information, see "Registering Partners (Agents and Applications) by Using the Console" in Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager with Oracle Security Token Service.
Alternatively, you can use the RREG command-line tool to register a new WebGate agent. You can run the tool in two modes: In-Band and Out-Of-Band.
This section includes the following topics:
To set up the RREG tool, complete the following steps :
After installing and configuring Oracle Access Manager, go to the following directory:
Oracle_IDM2
/oam/server/rreg/client
Untar the RREG.tar.gz
file.
Example:
gunzip RREG.tar.gz
tar -xvf RREG.tar
The tool for registering the agent is located at:
RREG_Home
/bin/oamreg.sh
Note:
RREG_Home
is the directory in which you extracted the contents of RREG.tar.gz/rreg
.Set the following environment variables in the oamreg.sh
script:
OAM_REG_HOME
Set this variable to the absolute path to the directory in which you extracted the contents of RREG.tar/rreg
.
JDK_HOME
Set this variable to the absolute path to the directory in which Java or JDK is installed on your machine.
You must update the agent parameters, such as agentName
, in the OAM11GRequest.xml
file in the RREG_Home
/input
directory.
Note:
TheOAM11GRequest.xml
file or the short version OAM11GRequest_short.xml
is used as a template. You can copy this template file and use it.Modify the following required parameters in the OAM11GRequest.xml
file or in the OAM11GRequest_short.xml
file:
serverAddress
Specify the host and the port of the OAM Administration Server.
agentName
Specify any custom name for the agent.
agentBaseUrl
Specify the host and the port of the machine on which Apache 11g WebGate is installed.
preferredHost
Specify the host and the port of the machine on which Apache 11g WebGate is installed.
security
Specify the security mode, such as open
, based on the WebGate installed.
primaryServerList
Specify the host and the port of Managed Server for the Oracle Access Manager proxy, under a Server
container element.
After modifying the file, save and close it.
If you run the RREG tool once after updating the WebGate parameters in the OAM11GRequest.xml
file, the files and artifacts required by WebGate are generated in the following directory:
RREG_Home
/output/
agent_name
Note:
You can run RREG either on a client machine or on the server. If you are running it on the server, then you must manually copy the artifacts back to the client.Complete the following steps:
Open the OAM11GRequest.xml
file, which is in the input
directory at RREG_Home
/input/
. RREG_Home
is the directory where you extracted the contents of RREG.tar.gz/rreg
to. Edit the XML file and fill in parameters for the new Apache WebGate for Oracle Access Manager.
Run the following command:
./
RREG_Home
/bin/oamreg.sh inband input/OAM11GRequest.xml
If you are an end user with no access to the server, then you can email your updated OAM11GRequest.xml
file to the system administrator, who can run RREG in the out-of-band mode. You can collect the generated AgentID
_Response.xml
file from the system administrator and run RREG on this file to obtain the WebGate files and artifacts you require.
After you receive the generated AgentID
_Response.xml
file from the administrator, you must manually copy the file to the input
directory on your machine.
Complete the following steps:
If you are an end user with no access to the server, open the OAM11GRequest.xml
file, which is in RREG_Home
/input/
.
RREG_Home
is the directory in which you extracted the contents of RREG.tar.gz/rreg
. Edit this XML file and specify parameters for the new Apache WebGate for Oracle Access Manager. Send the updated file to your system administrator.
If you are an administrator, copy the updated OAM11GRequest.xml
file, which is in the RREG_Home
/input/
directory.
This is the file that you received from the end user. Go to your (administrator's) RREG_Home
directory and run the following command:
./
RREG_Home
/bin/oamreg.sh outofband input/OAM11GRequest.xml
An Agent_ID
_Response.xml
file is generated in the output
directory on the administrator's machine, in the RREG_Home/output/directory
. Send this file to the end user who sent you the updated OAM11GRequest.xml
file.
If you are an end user, copy the generated Agent_ID
_Response.xml
file, which is in the RREG_Home
/input/
directory.
This is the file that you received from the administrator. Move to your (client's) RREG home directory and run the following command:
./
RREG_Home
/bin/oamreg.sh outofband input/
Agent_ID
_Response.xml
Note:
If you register the WebGate agent by using the Oracle Access Manager Administration Console, as described in "Registering Partners (Agents and Applications) by Using the Console" in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager, then you must manually copy the files and artifacts generated after the registration from the server (the machine on which the Oracle Access Manager Administration Console is running) to the client machine. The files and artifacts are generated in theMW_HOME
/user_projects/domains/
name_of_the_WebLogic_domain_for_OAM
/output/
Agent_ID
directory.Regardless of the method or mode you use to register the new WebGate agent, the following files and artifacts are generated in the RREG_Home
/output/
Agent ID
directory:
cwallet.sso
ObAccessClient.xml
In the SIMPLE mode, RREG generates:
password.xml
, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be the same as the passphrase used on the server.
aaa_key.pem
aaa_cert.pem
In the CERT mode, RREG generates password.xml
file, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.
Note:
You can use these files generated by RREG to generate a certificate request and get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existingaaa_cert.pem
and aaa_chain.pem
files along with password.xml
and aaa_key.pem
.After RREG generates these files and artifacts, you must manually copy the following files, based on the security mode you are using, from the RREG_Home
/output/
Agent_ID
directory to the WebGate_Instance_Home
directory.
Do the following according to the security mode you are using:
In OPEN mode, copy the following files from the RREG_Home
/output/
Agent_ID
directory to the WebGate_Instance_Home
/webgate/config
directory:
ObAccessClient.xml
cwallet.sso
In SIMPLE mode, copy the following files from the RREG_Home
/output/
Agent_ID
directory to the WebGate_Instance_Home
/webgate/config
directory:
ObAccessClient.xml
cwallet.sso
password.xml
In addition, copy the following files from the RREG_Home
/output/
Agent_ID
directory to the WebGate_Instance_Home
/webgate/config/simple
directory:
aaa_key.pem
aaa_cert.pem
In CERT mode, copy the following files from the RREG_Home
/output/
Agent_ID
directory to the WebGate_Instance_Home
/webgate/config
directory:
ObAccessClient.xml
cwallet.sso
password.xml
After copying the files, you must either generate a new certificate or migrate an existing certificate.
You can generate a new certificate as follows:
Go to the WebGate_Home
/webgate/apache/tools/openssl
directory.
Create a certificate request as follows:
./openssl req -utf8 -new -nodes -config openssl_silent_apache11g.cnf -keyout aaa_key.pem -out aaa_req.pem -rand
WebGate_Home
/webgate/apache/config/random-seed
Self-sign the certificate as follows:
./openssl ca -config openssl_silent_apache11g.cnf -policy policy_anything -batch -out aaa_cert.pem -infiles aaa_req.pem
Copy the following generated certificates to the WebGate_Instance_Home
/webgate/config
directory:
aaa_key.pem
aaa_cert.pem
cacert.pem
located in the simpleCA
directory
Note:
After copying thecacert.pem
file, you must rename the file to aaa_chain.pem
.Migrating an Existing Certificate
If you want to migrate an existing certificate (aaa_key.pem, aaa_cert.pem,
and aaa_chain.pem
), then ensure that you use the same passphrase which you used to encrypt aaa_key.pem
. You must enter the same passphrase during the RREG registration process. If you do not use the same passphrase, then the password.xml
file generated by RREG will not match the passphrase used to encrypt the key.
If you enter the same passphrase, then you can copy these certificates as follows:
Go to the WebGate_Instance_Home
/webgate/config
directory.
Copy the following certificates to the WebGate_Instance_Home
/webgate/config
directory:
aaa_key.pem
aaa_cert.pem
aaa_chain.pem
Use the startserv
command to start or stopserv
command to stop your Apache instance.
To stop the server, run the following command:
/
home
/bin/stopserv
To start the server, run the following command:
export LD_LIBRARY_PATH=/
WebGate_Home
/lib
/
home
/bin/startserv
To restart the Apache instance, stop all running instances, and then run the start command.
You should always use the instructions provided in this section for removing the Apache 11g WebGate for Oracle Access Manager. If you try to remove the software manually, then you may experience problems when you try to reinstall the software again at a later time. Following the procedures in this section will ensure that the software is properly removed.
To deinstall the WebGate agent, do the following:
Go to the MW_HOME/Webgate_Home
/oui/bin
directory on UNIX, and MW_HOME\Webgate_home
\oui\bin
on Windows.
Run the following command:
On UNIX: ./runInstaller -deinstall
On Windows: setup.exe -deinstall -jreLoc
JRE_LOCATION
Ensure that you specify the absolute path to your JRE_LOCATION
; relative paths are not supported.
After the deinstaller starts, the Welcome screen is displayed. Proceed with the deinstallation by referring to Section 5.7.1.
Follow the instructions in Table 5-2 to complete the deinstallation.
If you need additional help with any of the deinstallation screens, then click Help to access the online help.
Sl. No. | Screen | Description | Action Required |
---|---|---|---|
1. |
Welcome |
Each time the deinstaller starts, the Welcome screen is displayed. |
Click Next. |
2. |
Deinstall Oracle Home |
The Deinstall Oracle Home screen shows the Oracle home you are about to deinstall. |
Verify the Oracle home you are about to deinstall. Click Deinstall. On the Warning screen, select whether or not you want the deinstaller to remove the Oracle home directory in addition to removing the software. Click Yes to have the deinstaller remove the software and Oracle home, No to remove only the software, or Cancel to return to the previous screen. If you select No, go to Section 5.7.2 for instructions on how to manually remove your Oracle home directory. |
3. |
Deinstallation progress |
The Deinstallation Progress screen shows the progress and status of the deinstallation. |
Wait until the Deinstallation Complete screen appears. |
4. |
Deinstallation Complete |
The Deinstallation Complete screen appears when the deinstallation is complete. |
Click Finish to dismiss the screen. |
If you have selected No on the warning screen during deinstallation, then you must manually remove your Webgate_Home
directory and any sub-directories. For example: if your Oracle WebGate home directory was /home/Oracle/Middleware/Oracle_OAMWebGate1
, run the following command:
cd /home/Oracle/Middleware/
rm -rf Oracle_OAMWebGate1
On Windows, if your Oracle Common home directory was C:\Oracle\Middleware\Oracle_OAMWebGate1
, then use a file manager window, go to the C:\Oracle\Middleware
directory, right-click on the Oracle_OAMWebGate1
folder, and then select Delete.
To run the Apache 11g WebGate in silent mode, complete the following steps:
Set the contents of the silent.rsp
file. For example:
[ENGINE] #DO NOT CHANGE THIS. Response File Version=1.0.0.0.0 [GENERIC] ORACLE_HOME=/home/MW_HOME/apache_WebGate_home MIDDLEWARE_HOME=/home/MW_HOME [SYSTEM] [APPLICATIONS] [RELATIONSHIPS]
In the preceding file, the parameters are as follows:
ORACLE_HOME
: Provide the Oracle home location. This is the directory in which you want to install the new Apache WebGate. The location must be an immediate child folder under the specified Middleware home location. The Oracle home directory name can contain only alphanumeric, hyphen (-), dot (.), and underscore (_) characters, and must begin with an alphanumeric character. The total length has to be less than or equal to 128 characters. For example, home/middleware/apache_webgate
.
MIDDLEWARE_HOME
: Specify the full path to your Middleware home directory.
Extract the contents of the installer to a directory.
Run the following command:
WebGate_Installer_Directory
/Disk1/runInstaller -jreLoc
jre_location
-invPtrLoc
Absolute_Path_Of_the_oraInst.loc_file
-silent -response
Absolute_Path_Of_the_silent.rsp_file
In the preceding command:
WebGate_Installer_Directory
is the absolute path to the directory in which you have extracted the contents of the WebGate installer.
jre_location
is the absolute path to the JRE directory.
Absolute_Path_Of_the_oraInst.loc_file
is the absolute path to the oraInst.loc
file.
Absolute_Path_Of_the_ silent.rsp_file
is the absolute path to the silent.rsp
file you created.