C Configuring External Access to an Internal Exalogic IAM Deployment

This chapter describes how to configure an Exalogic Identity and Access Management deployment so that it can communicate with applications outside of the Exalogic rack.

If you have configured your Exalogic Identity and Access Management deployment to use the internal network of the Exalogic machine, then you have configured a fully functioning deployment for all applications that are deployed within the Exalogic rack. This configuration, however, does not enable you to protect applications outside of the Exalogic rack, because the security agents cannot talk to the Oracle Access Management Access Manager servers, which are only available on the internal Exalogic network.

In order to achieve a deployment where you have an external agent such as Oracle WebGate protecting a third party application such as SOA or Web Center, you must enable the external agent to communicate with the OAM servers using the public access network. To do this you need to perform the following additional steps.

First, ensure that your Exalogic Compute Nodes or vServers have access to the external Client Access Network using EoIB.

By default, your configuration is configured so that SSO agents communicate with the Access Manager servers, identified as host names iamhost1 and iamhost2, using the internal network.

In summary the steps you must perform are:

  1. Create Access Manager server instances registered using the client access network names for those servers.

  2. Create an SSO agent inside Access Manager which uses the external Access Manager servers.

  3. Configure the external WebGate to use the external SSO agent.

The example in this appendix shows how to protect a simple HTML test page on an external OHS using web gate. It includes the following sections:

C.1 Creating New OAM Server Instances Listening on the External Network

  1. Log in to the OAM Console for IAMAccessDomain at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."

  2. From the Launch Pad, click Server Instances.

  3. When the search window is displayed, click Search.

    You will see your existing server instances displayed: wls_oam1 and wls_oam2.

  4. Create two new server instances by clicking the Create button and entering the appropriate information. This example shows the values for wls_oam1_ext:

    • Server Name: wls_oam1_ext

    • Host: iamhost1ext.mycompany.com (Use the name associated with the client access network.)

    • Port: 14000 (OIM_PORT)

    • Proxy Server Id: AccessServerConfigProxy

    • Proxy Port: 5575 (OAM_PROXY_PORT)

    • Mode: Simple

    Leave all other values as they are and click Apply.

  5. Repeat for Server Name wls_oam2-ext.

You now have four Access Manager server instances, two listening on the internal network and two listening on the external network.

C.2 Creating a New SSO Agent

You can use either rreg or the OAM console to create a new SSO Agent. For the purposes of this example we will create a new SSO Agent using the console and using the existing Application Domain IAMSuiteAgent, but for your applications how you create the agent will be dependent on the application you are protecting. Refer to your product documentation for details.

  1. Log in to the OAM Console for IAMAccessDomain at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."

  2. From the Launch Pad, click SSO Agents.

  3. Click Create 11g Webgate.

  4. Create with the same values as the existing agent Webgate_IDM_11g, except for these three values:

    • Name for Example: Webgate_External

    • Deselect Auto Create Policies.

    • Host Identifier IAMSuiteAgent

  5. Click Apply a new web gate agent called Webgate_External.

  6. Edit the newly created agent by clicking SSO Agents from the Launch Pad.

  7. Click Search.

  8. Click on the newly created agent Webgate_External.

  9. Remove all servers from the Primary Server list other than wls_oam1-ext and wls_oam2-ext

  10. Click Apply.

C.3 Creating a Test Resource in OAM

  1. Log in to the OAM Console for IAMAccessDomain at the URL listed in Section 31.2, "About Identity and Access Management Console URLs."

  2. From the Launch Pad click Application Domains.

  3. When the Search Application Domains Window is displayed, click Search.

  4. Click on the Application Domain IAM Suite Agent.

  5. Click Resources tab.

  6. Click New Resource and enter the following information:

    • Type: Http

    • Description: Test Resource

    • Host Identifier: IAMSuiteAgent

    • Resource URL: /sso.html

    • Protection Level: Protected

    • Authentication Policy: Protected Higher Level Policy

    • Authorization Policy: Protected Resource Policy

  7. Click Apply.

C.4 Configuring the External Oracle HTTP Server

Install and configure Oracle HTTP server on your external server.

Create a test HTML page called sso.html and place it in the OHS htdocs folder.

Install WebGate on your external server.

Deploy WebGate to Oracle HTTP, as follows:

  1. Execute the command deployWebGateInstance.sh which is located in:


    The command takes the following arguments:

    • Oracle HTTP instance configuration directory

    • WebGate home directory

    For example:

    ./deployWebGateInstance.sh -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME  
  2. Set the library path.

    For example, set the library path to include the WEB_ORACLE_HOME/lib directory as follows

  3. Change directory. For example:

    cd WEBGATE_ORACLE_HOME/webgate/ohs/tools/setup/InstallTools
  4. Run the following command to copy the file apache_webgate.template from the WebGate home directory to the WebGate instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf.

    ./EditHttpConf -w WEB_ORACLE_INSTANCE/config/OHS/component_name -oh WEBGATE_ORACLE_HOME              
  5. Copy the files ObAccessClient.xml, cwallet.sso, and password.xml, which were generated when you created the external agent from the directory


    on IDMHOST1, to the directory:


  6. Copy The files aaa_key.pem and aaa_cert.pem, which were generated when you created the agent from the directory


    on IDMHOST1 to the WebGate instance directory:


  7. Restart the Oracle HTTP Server

C.5 Validating the Installation

Test the installation by trying to access the protected resource:


You are redirected to the OAM credential collector. Enter a valid user name and password. The test page is displayed.