This chapter describes how to configure an Exalogic Identity and Access Management deployment so that it can communicate with applications outside of the Exalogic rack.
If you have configured your Exalogic Identity and Access Management deployment to use the internal network of the Exalogic machine, then you have configured a fully functioning deployment for all applications that are deployed within the Exalogic rack. This configuration, however, does not enable you to protect applications outside of the Exalogic rack, because the security agents cannot talk to the Oracle Access Management Access Manager servers, which are only available on the internal Exalogic network.
In order to achieve a deployment where you have an external agent such as Oracle WebGate protecting a third party application such as SOA or Web Center, you must enable the external agent to communicate with the OAM servers using the public access network. To do this you need to perform the following additional steps.
First, ensure that your Exalogic Compute Nodes or vServers have access to the external Client Access Network using EoIB.
By default, your configuration is configured so that SSO agents communicate with the Access Manager servers, identified as host names iamhost1 and iamhost2, using the internal network.
In summary the steps you must perform are:
Create Access Manager server instances registered using the client access network names for those servers.
Create an SSO agent inside Access Manager which uses the external Access Manager servers.
Configure the external WebGate to use the external SSO agent.
The example in this appendix shows how to protect a simple HTML test page on an external OHS using web gate. It includes the following sections:
Log in to the OAM Console for IAMAccessDomain at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."
From the Launch Pad, click Server Instances.
When the search window is displayed, click Search.
You will see your existing server instances displayed: wls_oam1 and wls_oam2.
Create two new server instances by clicking the Create button and entering the appropriate information. This example shows the values for wls_oam1_ext:
Server Name: wls_oam1_ext
Host: iamhost1ext.mycompany.com (Use the name associated with the client access network.)
Port: 14000 (OIM_PORT)
Proxy Server Id: AccessServerConfigProxy
Proxy Port: 5575 (OAM_PROXY_PORT)
Mode: Simple
Leave all other values as they are and click Apply.
Repeat for Server Name wls_oam2-ext.
You now have four Access Manager server instances, two listening on the internal network and two listening on the external network.
You can use either rreg or the OAM console to create a new SSO Agent. For the purposes of this example we will create a new SSO Agent using the console and using the existing Application Domain IAMSuiteAgent, but for your applications how you create the agent will be dependent on the application you are protecting. Refer to your product documentation for details.
Log in to the OAM Console for IAMAccessDomain at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."
From the Launch Pad, click SSO Agents.
Click Create 11g Webgate.
Create with the same values as the existing agent Webgate_IDM_11g, except for these three values:
Name for Example: Webgate_External
Deselect Auto Create Policies.
Host Identifier IAMSuiteAgent
Click Apply a new web gate agent called Webgate_External.
Edit the newly created agent by clicking SSO Agents from the Launch Pad.
Click Search.
Click on the newly created agent Webgate_External.
Remove all servers from the Primary Server list other than wls_oam1-ext and wls_oam2-ext
Click Apply.
Log in to the OAM Console for IAMAccessDomain at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."
From the Launch Pad click Application Domains.
When the Search Application Domains Window is displayed, click Search.
Click on the Application Domain IAM Suite Agent.
Click Resources tab.
Click New Resource and enter the following information:
Type: Http
Description: Test Resource
Host Identifier: IAMSuiteAgent
Resource URL: /sso.html
Protection Level: Protected
Authentication Policy: Protected Higher Level Policy
Authorization Policy: Protected Resource Policy
Click Apply.
Install and configure Oracle HTTP server on your external server.
Create a test HTML page called sso.html and place it in the OHS htdocs folder.
Install WebGate on your external server.
Deploy WebGate to Oracle HTTP, as follows:
Execute the command deployWebGateInstance.sh which is located in:
WEBGATE_ORACLE_HOME/webgate/ohs/tools/deployWebGate
The command takes the following arguments:
Oracle HTTP instance configuration directory
WebGate home directory
For example:
./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
Set the library path.
For example, set the library path to include the WEB_ORACLE_HOME/lib directory as follows
export LD_LIBRARY_PATH=LD_LIBRARY_PATH:WEB_ORACLE_HOME/lib
Change directory. For example:
cd WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools
Run the following command to copy the file apache_webgate.template from the WebGate home directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf.
./EditHttpConf -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME
Copy the files ObAccessClient.xml, cwallet.sso, and password.xml, which were generated when you created the external agent from the directory
IAD_ASERVER_HOME/output/Webgate_External
on IDMHOST1, to the directory:
WEB_ORACLE_INSTANCE/config/OHS/component_name/webgate/config
Copy The files aaa_key.pem and aaa_cert.pem, which were generated when you created the agent from the directory
IAD_ASERVER_HOME/output/Webgate_External
on IDMHOST1 to the WebGate instance directory:
WEB_ORACLE_INSTANCE/config/OHS/component_name/webgate/config/simple
Restart the Oracle HTTP Server
Test the installation by trying to access the protected resource:
http://external_ohs/sso.html
You are redirected to the OAM credential collector. Enter a valid user name and password. The test page is displayed.