7 Configuring Oracle Traffic Director WebGate for Oracle Access Manager
A WebGate intercepts HTTP requests and forwards them to the Oracle Access Manager for authentication and authorization. WebGate gets installed by default when you install Oracle Traffic Director.
Note:
As of 12.2.1.4.0, Oracle Traffic Director is deprecated. In the future, for equivalent functionality, use Oracle HTTP Server, Microsoft IIS Web Server, or Apache HTTP Server plug-ins, or a native Kubernetes load balancer, such as Traefik.This appendix contains the following sections:
- Prerequisites for Configuring Webgate
You need to install Oracle Access Manager (OAM) before configuring Oracle Traffic Director. Also, there are version and environment related limitations for installing OAM. - Configuring the Domain
Use the Configuration Wizard to create and configure a domain. - Configuring Oracle Traffic Director WebGate
- Verifying the Configuration of Oracle Traffic Director WebGate
- Getting Started with a New Oracle Traffic Director WebGate
Prerequisites for Configuring Webgate
You need to install Oracle Access Manager (OAM) before configuring Oracle Traffic Director. Also, there are version and environment related limitations for installing OAM.
Before you can configure Oracle Traffic Director 12c (12.2.1.4.0) WebGate, you must install one of the following versions of Oracle Access Manager.
Note:
It is highly recommended that Oracle Access Manager is installed in its own environment and not on the same machine as WebLogic Server. Oracle Access Manager and WebLogic Server can be installed on the same machine if they are both 12c versions.
Configuring the Domain
Use the Configuration Wizard to create and configure a domain.
For information on other methods to create domains, see Additional Tools for Creating, Extending, and Managing WebLogic Domains in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
- Starting the Configuration Wizard
Start the Configuration Wizard to begin configuring a domain. - Navigating the Configuration Wizard Screens to Create and Configure the Domain
Enter required information in the Configuration Wizard screens to create and configure the domain for the topology. - Updating the System Properties for SSL Enabled Servers
For SSL enabled servers, you must set the required properties in thesetDomainEnv
file in the domain home.
Starting the Configuration Wizard
Start the Configuration Wizard to begin configuring a domain.
To start the Configuration Wizard:
Parent topic: Configuring the Domain
Navigating the Configuration Wizard Screens to Create and Configure the Domain
Enter required information in the Configuration Wizard screens to create and configure the domain for the topology.
Note:
You can use this procedure to extend an existing domain. If your needs do not match the instructions in the procedure, be sure to make your selections accordingly, or see the supporting documentation for more details.
- Selecting the Domain Type and Domain Home Location
Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory. - Selecting the Configuration Templates
- Selecting the Application Home Location
Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory. - Configuring the Administrator Account
Use the Administrator Account screen to specify the user name and password for the default WebLogic Administrator account for the domain. - Specifying the Domain Mode and JDK
Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK). - Specifying the Database Configuration Type
Use the Database Configuration type screen to specify details about the database and database schema. - Specifying JDBC Component Schema Information
Use the JDBC Component Schema screen to verify or specify details about the database schemas. - Testing the JDBC Connections
Use the JDBC Component Schema Test screen to test the data source connections. - Selecting Advanced Configuration
Use the Advanced Configuration screen to complete the domain configuration. - Configuring the Administration Server Listen Address
Use the Administration Server screen to select the IP address of the host. - Configuring Node Manager
Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials. - Configuring Managed Servers for Oracle Access Management
- Configuring a Cluster for WebGate
Use the Clusters screen to create a new cluster. - Defining Server Templates
If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for domain. - Configuring Dynamic Servers
You can skip this screen for Oracle Access Management configuration. - Assigning WebGate Managed Servers to the Cluster
Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template. - Configuring Coherence Clusters
Use the Coherence Clusters screen to configure the Coherence cluster. - Creating a New WebGate Machine
Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers. - Assigning Servers to WebGate Machines
Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created. - Virtual Targets
You can skip this screen for Oracle Access Management configuration. - Partitions
The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options. - Configuring Domain Frontend Host
The Domain Frontend Host screen can be used to configure the frontend host for the domain. - Targeting the Deployments
The Deployments Targeting screen can be used to target the available deployments to the servers. - Targeting the Services
The Services Targeting screen can be used to target the available services to the Servers. - Reviewing Your Configuration Specifications and Configuring the Domain
The Configuration Summary screen shows detailed configuration information for the domain you are about to create. - Writing Down Your Domain Home and Administration Server URL
The End of Configuration screen shows information about the domain you just configured.
Parent topic: Configuring the Domain
Selecting the Domain Type and Domain Home Location
Use the Configuration Type screen to select a Domain home directory location, optimally outside the Oracle home directory.
To specify the Domain type and Domain home directory:
- On the Configuration Type screen, select Create a new domain.
- In the Domain Location field, specify your Domain home directory.
Note:
To extend the B2B domain from SOA domain, select B2B classic template instead of Oracle B2B Reference Configuration template. Extending a reference-configured SOA domain is not supported.For more details about this screen, see Configuration Type in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Selecting the Configuration Templates
On the Templates screen, make sure Create Domain Using Product Templates is selected, then select theWebgate template.
Selecting this template automatically selects the following as dependencies:
-
Oracle Enterprise Manager
-
Oracle JRF
-
WebLogic Coherence Cluster Extension
Note:
The basic WebLogic domain is pre-selected.More information about the options on this screen can be found in Templates in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Selecting the Application Home Location
Use the Application Location screen to select the location to store applications associated with your domain, also known as the Application home directory.
Oracle recommends that you locate your Application home in accordance with the directory structure in What Are the Key Oracle Fusion Middleware Directories? in Oracle Fusion Middleware Understanding Oracle Fusion Middleware, where the Application home is located outside the Oracle home directory. This directory structure helps avoid issues when you need to upgrade or re-install your software.
For more about the Application home directory, see About the Application Home Directory.
For more information about this screen, see Application Location in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
- About the Application Home Directory
The Application home is the directory where applications for domains you configure are created. - About the Recommended Directory Structure
Oracle recommends specific locations for the Oracle Home, Domain Home, and Application Home.
About the Application Home Directory
The Application home is the directory where applications for domains you configure are created.
The default Application home location is ORACLE_HOME/user_projects/applications/domain_name
. However, Oracle strongly recommends that you locate your Application home outside of the Oracle home directory; if you upgrade your product to another major release, you must create a new Oracle home for binaries.
See About the Recommended Directory Structure for more on the recommended directory structure and locating your Application home.
Fusion Middleware documentation refers to the Application home directory as APPLICATION_HOME
and includes all folders up to and including the domain name. For example, if you name your domain exampledomain
and you locate your application data in the /home/oracle/config/applications
directory, the documentation uses APPLICATION_HOME
to refer to /home/oracle/config/applications/exampledomain
.
Parent topic: Selecting the Application Home Location
About the Recommended Directory Structure
Oracle recommends specific locations for the Oracle Home, Domain Home, and Application Home.
Oracle recommends a directory structure similar to the one shown in Figure 7-1.
Figure 7-1 Recommended Oracle Fusion Middleware Directory Structure
A base location (Oracle base) should be established on your system (for example, /home/oracle
). From this base location, create two separate branches, namely, the product
directory and the config
directory. The product
directory should contain the product binary files and all the Oracle home directories. The config
directory should contain your domain and application data.
Oracle recommends that you do not keep your configuration data in the Oracle home directory; if you upgrade your product to another major release, are required to create a new Oracle home for binaries. You must also make sure that your configuration data exists in a location where the binaries in the Oracle home have access.
The /home/oracle/product
(for the Oracle home) and /home/oracle/config
(for the application and configuration data) directories are used in the examples throughout the documentation; be sure to replace these directories with the actual directories on your system.
Parent topic: Selecting the Application Home Location
Configuring the Administrator Account
Use the Administrator Account screen to specify the user name and password for the default WebLogic Administrator account for the domain.
Oracle recommends that you make a note of the user name and password that you enter on this screen; you need these credentials later to boot and connect to the domain's Administration Server.
For more information about this screen, see Administrator Account in Creating WebLogic Domains Using the Configuration Wizard.
Specifying the Domain Mode and JDK
Use the Domain Mode and JDK screen to specify the domain mode and Java Development Kit (JDK).
On the Domain Mode and JDK screen:
-
Select Production in the Domain Mode field.
-
Select the Oracle HotSpot JDK in the JDK field.
Specifying the Database Configuration Type
Use the Database Configuration type screen to specify details about the database and database schema.
On the Database Configuration type screen, select RCU Data. This option instructs the Configuration Wizard to connect to the database and Service Table (STB) schema to automatically retrieve schema information for schemas needed to configure the domain.
Note:
If you select Manual Configuration on this screen, you must manually fill in parameters for your schema on the next screen.
After selecting RCU Data, specify details in the following fields:
Field | Description |
---|---|
DBMS/Service |
Enter the database DBMS name, or service name if you selected a service type driver. Example: |
Host Name |
Enter the name of the server hosting the database. Example: |
Port |
Enter the port number on which the database listens. Example: |
Schema Owner Schema Password |
Enter the username and password for connecting to the database's Service Table schema. This is the schema username and password entered for the Service Table component on the Schema Passwords screen in the RCU. The default username is |
Click Get RCU Configuration when you finish specifying the database connection information. The following output in the Connection Result Log indicates that the operation succeeded:
Connecting to the database server...OK Retrieving schema data from database server...OK Binding local schema components with retrieved data...OK Successfully Done.
For more information about the schema installed when the RCU is run, see About the Service Table Schema in Oracle Fusion Middleware Creating Schemas with the Repository Creation Utility.
See Database Configuration Type in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard .
Specifying JDBC Component Schema Information
Use the JDBC Component Schema screen to verify or specify details about the database schemas.
Verify that the values populated on the JDBC Component Schema screen are correct for all schemas. If you selected RCU Data on the previous screen, the schema table should already be populated appropriately. If you selected Manual configuration on the Database Configuration screen, you must configure the schemas listed in the table manually, before you proceed.
For high availability environments, see the following sections in Oracle Fusion Middleware High Availability Guide for additional information on configuring data sources for Oracle RAC databases:
See JDBC Component Schema in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard for more details about this screen.
Testing the JDBC Connections
Use the JDBC Component Schema Test screen to test the data source connections.
A green check mark in the Status column indicates a successful test. If you encounter any issues, see the error message in the Connection Result Log section of the screen, fix the problem, then try to test the connection again.
By default, the schema password for each schema component is the password you specified while creating your schemas. If you want different passwords for different schema components, manually edit them in the previous screen (JDBC Component Schema) by entering the password you want in the Schema Password column, against each row. After specifying the passwords, select the check box corresponding to the schemas that you changed the password in and test the connection again.
For more information about this screen, see JDBC Component Schema Test in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Selecting Advanced Configuration
Use the Advanced Configuration screen to complete the domain configuration.
On the Advanced Configuration screen, select:
-
Administration Server
Required to properly configure the listen address of the Administration Server.
-
Node Manager
Required to configure Node Manager.
-
Topology
Required to configure the WebGate Managed Server.
Optionally, select other available options as required for your desired installation environment. The steps in this guide describe a standard installation topology, but you may choose to follow a different path. If your installation requirements extend to additional options outside the scope of this guide, you may be presented with additional screens to configure those options. For information about all Configuration Wizard screens, see Configuration Wizard Screens in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Configuring the Administration Server Listen Address
Use the Administration Server screen to select the IP address of the host.
Select the drop-down list next to Listen Address and select the IP address of the host where the Administration Server will reside, or use the system name or DNS name that maps to a single IP address. Do not use All Local Addresses
.
Do not specify any server groups for the Administration Server.
Note:
Use the Mozilla Firefox browser to access Internet Protocol Version 6 (IPv6) URLs. You must enter the Global IPv6 address to create a domain and access URLs. (You should not use the local IPv6 address.)Configuring Node Manager
Use the Node Manager screen to select the type of Node Manager you want to configure, along with the Node Manager credentials.
Select Per Domain Default Location as the Node Manager type, then specify Node Manager credentials.
For more information about this screen, see Node Manager in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
For more about Node Manager types, see Node Manager Overview in Oracle Fusion Middleware Administering Node Manager for Oracle WebLogic Server.
Configuring Managed Servers for Oracle Access Management
On the Managed Servers screen, the new Managed Servers named otd_server_1
and otd_policy_mgr1
are displayed:
These server names and will be referenced throughout this document; if you choose different names be sure to replace them as needed.
Tip:
More information about the options on this screen can be found in Managed Servers in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Configuring a Cluster for WebGate
Use the Clusters screen to create a new cluster.
Note:
If you are configuring a non-clustered setup on a single node, skip this screen.On the Clusters screen:
Repeat the preceding steps to create three more clusters: cpt_cluster1
, ibr_cluster1
, and wccui_cluster1
.
By default, server instances in a cluster communicate with one another using unicast. If you want to change your cluster communications to use multicast, see Considerations for Choosing Unicast or Multicast in Oracle Fusion Middleware Administering Clusters for Oracle WebLogic Server.
You can also create clusters using Fusion Middleware Control. In this case, you can configure cluster communication (unicast or multicast) when you create the new cluster. See Create and configure clusters in Oracle Fusion Middleware Oracle WebLogic Server Administration Console Online Help.
For more information about this screen, see Clusters in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Defining Server Templates
If you are creating dynamic clusters for a high availability setup, use the Server Templates screen to define one or more server templates for domain.
For steps to create a dynamic cluster for a high availability setup, see Using Dynamic Clusters in Oracle Fusion Middleware High Availability Guide.
Configuring Dynamic Servers
You can skip this screen for Oracle Access Management configuration.
Assigning WebGate Managed Servers to the Cluster
Use the Assign Servers to Clusters screen to assign Managed Servers to a new configured cluster. A configured cluster is a cluster you configure manually. You do not use this screen if you are configuring a dynamic cluster, a cluster that contains one or more generated server instances that are based on a server template.
Note:
All Managed Servers of a component type in the domain must belong to that cluster. For example, WebGate domains support only a single WebGate cluster inside each domain.For more on configured cluster and dynamic cluster terms, see About Dynamic Clusters in Oracle Fusion Middleware Understanding Oracle WebLogic Server.
On the Assign Servers to Clusters screen:
For more information about this screen, see Assign Servers to Clusters in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Configuring Coherence Clusters
Use the Coherence Clusters screen to configure the Coherence cluster.
Leave the default port number as the Coherence cluster listen port. After configuration, the Coherence cluster is automatically added to the domain.
Note:
Setting the unicast listen port to 0
creates an offset for the Managed Server port numbers. The offset is 5000
, meaning the maximum allowed value that you can assign to a Managed Server port number is 60535
, instead of 65535
.
For Coherence licensing information, see Oracle Coherence Products in Oracle Fusion Middleware Licensing Information User Manual.
Creating a New WebGate Machine
Use the Machines screen to create new machines in the domain. A machine is required so that Node Manager can start and stop servers.
If you plan to create a high availability environment and know the list of machines your target topology requires, you can follow the instructions in this section to create all the machines at this time. For more about scale out steps, see Optional Scale Out Procedure in Oracle Fusion Middleware High Availability Guide.
Note:
If you are extending an existing domain, you can assign servers to any existing machine. It is not necessary to create a new machine unless your situation requires it.
For more information about this screen, see Machines in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Assigning Servers to WebGate Machines
Use the Assign Servers to Machines screen to assign the Administration Server and Managed Servers to the new machine you just created.
On the Assign Servers to Machines screen:
For more information about this screen, see Assign Servers to Machines in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Virtual Targets
You can skip this screen for Oracle Access Management configuration.
Click Next and proceed.
Partitions
The Partitions screen is used to configure partitions for virtual targets in WebLogic Server Multitenant (MT) environments. Select Next without selecting any options.
For details about options on this screen, see Partitions in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Note:
WebLogic Server Multitenant domain partitions are deprecated in WebLogic Server 12.2.1.4.0 and will be removed in the next release.Configuring Domain Frontend Host
The Domain Frontend Host screen can be used to configure the frontend host for the domain.
Select Plain or SSL and specify the respective host value.
Click Next.
Targeting the Deployments
The Deployments Targeting screen can be used to target the available deployments to the servers.
Targeting the Services
The Services Targeting screen can be used to target the available services to the Servers.
Reviewing Your Configuration Specifications and Configuring the Domain
The Configuration Summary screen shows detailed configuration information for the domain you are about to create.
Review each item on the screen and verify that the information is correct. To make any changes, go back to a screen by clicking the Back button or selecting the screen in the navigation pane. Domain creation does not start until you click Create.
For more details about options on this screen, see Configuration Summary in Oracle Fusion Middleware Creating WebLogic Domains Using the Configuration Wizard.
Writing Down Your Domain Home and Administration Server URL
The End of Configuration screen shows information about the domain you just configured.
Make a note of the following items because you need them later:
-
Domain Location
-
Administration Server URL
You need the domain location to access scripts that start Node Manager and Administration Server, and you need the URL to access the Administration Server.
Click Finish to dismiss the Configuration Wizard.
Updating the System Properties for SSL Enabled Servers
For SSL enabled servers, you must set the required properties in the setDomainEnv
file in the domain home.
DOMAIN_HOME/bin/setDomainEnv.sh
(for UNIX) or DOMAIN_HOME\bin\setDomainEnv.cmd
(for Windows) file before you start the servers:
-
-Dweblogic.security.SSL.ignoreHostnameVerification=true
-
-Dweblogic.security.TrustKeyStore=DemoTrust
Parent topic: Configuring the Domain
Configuring Oracle Traffic Director WebGate
Complete the following steps after installing Oracle Traffic Director to configure Oracle Traffic Director 12c (12.2.1.4.0) WebGate for Oracle Access Manager:
-
On UNIX
-
Go to the
$(Oracle_Home)/webgate/otd/tools/deployWebGate
directory (Please note that$(Oracle_Home)
is the location set as the OracleHome when installing Oracle Traffic Director) by running the following command:cd
$(Oracle_Home)
/webgate/otd/tools/deployWebGate
-
Run the following command to create the OTD WebGate Instance Directory from
$(Oracle_Home)
/webgate/otd/tools/deployWebGate:./deployWebGateInstance -w
webgate_instanceDirectory
-oh
$(Oracle_Home)
-ws otd
In this command:
-
$(Oracle_Home)
is the path to where Oracle Traffic Director has been installed.Example:
/home/oracle
-
webgate_instanceDirectory
is the location of the directory where you will copy the WebGate profile.Example:
$(Domain_Home
)/config/fmwconfig/components/OTD/instances/
Instance_Name
(Please note that
$(Domain_Home)
is the path to the directory which contains the OTD domain.)
-
-
Set the environment variable
LD_LIBRARY_PATH
toWebGate_$(Oracle_Home)
/lib
For example:
For Linux 64
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$(Oracle_Home)/lib
For Windows
set PATH=%(Oracle_Home)%\bin;%path%
-
Go to the following directory:
For Unix-based platforms
$(Oracle_Home)/webgate/otd/tools/setup/InstallTools
For Windows
%(Oracle_Home)%\webgate\otd\tools\EditObjConf
-
On the command line, run the following command for updating OTD conf files, such as
magnus.conf
andobj.conf
.For a standalone Oracle Traffic Director installation:
./EditObjConf -f
Domain_Home
/config/fmwconfig/components/OTD/instances/
Instance_Name
/config/Instance_Name
-obj.conf -wwebgate_instanceDirectory
[-oh Oracle_Home] -ws otd
For a collocated Oracle Traffic Director installation:
./EditObjConf -f
Domain_Home
/config/fmwconfig/components/OTD/
Instance_Name
/config
/Instance_Name
-obj.conf
-w webgate_instanceDirectory
[-oh Oracle_Home]-ws otd
In this command:
-
Oracle_Home is the path to the parent directory of a valid WebLogic Server installation, or to where Oracle Traffic Director is installed.
Example:
/home/oracle
-
webgate_instanceDirectory
is the location of the directory where you will copy the WebGate profile.Example:
Domain_Home
/config/fmwconfig/components/OTD/instances/
Instance_Name
-
-
-
On Windows
-
Go to the
%Oracle_Home%\webgate\otd\tools\deployWebGate
directory by running the following command:cd
%Oracle_Home%\webgate\otd\tools\deployWebGate
-
Run the following command to copy the required bits of agent from the
%Oracle_Home%
directory to thewebgate_instanceDirectory
location:deployWebGateInstance.bat -w
webgate_instanceDirectory
[-oh
Oracle_Home]
-ws otd
In this command:
-
Oracle_Home
is the directory in which you have installed Oracle Traffic Director WebGate.Example:
\home\oracle
-
webgate_instanceDirectory
is the location of the directory where you will copy the WebGate profile.Example:
Domain_Home
/config/fmwconfig/components/OTD/instances/
Instance_Name
-
-
Run the following command to set the
PATH
environment variable:set %PATH%=%PATH%;
%Oracle_Home%
\webgate\otd\lib;
%Oracle_Home%
\bin
-
Go to the following directory:
%Oracle_Home%
\webgate\otd\tools\EditObjConf
-
On the command line, run the following command for updating OTD conf files, such as
magnus.conf
andobj.conf
.For a standalone Oracle Traffic Director installation:
EditObjConf -f
Domain_Home
/config/fmwconfig/components/OTD/instances/
Instance_Name
/config
/Instance_Name
-obj.conf -wwebgate_instanceDirectory
[-oh $(Oracle_Home)
] -ws otd
For a collocated Oracle Traffic Director installation:
./EditObjConf -f
Domain_Home
/config/fmwconfig/components/OTD/
Instance_Name
/config
/Instance_Name
-obj.conf -w
webgate_instanceDirectory
[-oh
$(Oracle_Home)
] -ws otd
In this command:
-
Oracle_Home
is the directory in which you have installed Oracle Traffic Director WebGate for Oracle Access Manager.Example:
\home\oracle
-
webgate_instanceDirectory
is the location of the directory where you will copy the WebGate profile.Example:
Domain_Home
/config/fmwconfig/components/OTD/instances/
Instance_Name
-
-
Verifying the Configuration of Oracle Traffic Director WebGate
After installing Oracle Traffic Director 12c (12.2.1.4.0) WebGate for Oracle Access Manager and completing the configuration steps, you can examine the installDATE-TIME_STAMP.out
log file to verify the installation. The default location of the log are as follows:
-
On UNIX
$(Oracle_Home)
/oraInst.loc
-
On Windows
C:\Program Files\Oracle\Inventory\logs
Getting Started with a New Oracle Traffic Director WebGate
Before you can use the new Oracle Traffic Director 12c (12.2.1.4.0) WebGate agent for Oracle Access Manager, you must complete the following tasks:
- Registering the New Oracle Traffic Director 12c (12.2.1.4.0) WebGate
Oracle Access Manager WebGate component utilizes a high availability environment to eliminate a single point of failure and to distribute the workload using a load balancer (LBR). OAM needs to be registered only once, the same resulting artifacts are used by all the OAM WebGates that are behind the LBR. - Copying Generated Files and Artifacts to the Oracle Traffic Director WebGate Instance Location
- Restarting the Oracle Traffic Director Instance
Registering the New Oracle Traffic Director 12c (12.2.1.4.0) WebGate
Oracle Access Manager WebGate component utilizes a high availability environment to eliminate a single point of failure and to distribute the workload using a load balancer (LBR). OAM needs to be registered only once, the same resulting artifacts are used by all the OAM WebGates that are behind the LBR.
You can register the new WebGate agent with Oracle Access Manager using any one of the following options:
Oracle Access Manager Administration console
For complete information about registering WebGate agent using Oracle Access Manager console, see Registering an OAM Agent Using the Console in Administrator's Guide for Oracle Access Management.
RREG tool
For complete information about registering WebGate agent using RREG tool, see:
Setting Up the RREG Tool
To set up the RREG tool, complete the following steps:
-
On UNIX
-
After installing and configuring Oracle Access Manager, go to the following directory:
Oracle_IDM2
/oam/server/rreg/client
-
Untar the
RREG.tar.gz
file.Example:
gunzip RREG.tar.gz
tar -xvf RREG.tar
The tool for registering the agent is located at:
RREG_Home
/bin/oamreg.sh
Note:
RREG_Home
is the directory in which you extracted the contents ofRREG.tar.gz/rreg
. -
-
On Windows
-
After installing and configuring Oracle Access Manager, go to the following location:
Oracle_IDM2
\oam\server\rreg\client
-
Extract the contents of the
RREG.tar.zip
file to a destination of your choice.
-
The tool for registering the agent is located at:
RREG_Home
\bin\oamreg.bat
Note:
RREG_Home
is the directory in which you extracted the contents of RREG.tar.gz/rreg
.
Set the following environment variables in the oamreg.sh
script, on UNIX, and oamreg.bat
script, on Windows:
-
OAM_REG_HOME
Set this variable to the absolute path to the directory in which you extracted the contents of
RREG.tar/rreg
. -
JDK_HOME
Set this variable to the absolute path to the directory in which Java or JDK is installed on your machine.
Updating the OAM12cRequest.xml File
You must update the agent parameters, such as agentName
, in the OAM12cRequest.xml
file in the RREG_Home
\input
directory on Windows. On UNIX, the file is in the RREG_Home
/input
directory.
Note:
The OAM12cRequest.xml
file or the short version OAM12cRequest_short.xml
is used as a template. You can copy this template file and use it.
Modify the following required parameters in the OAM12cRequest.xml
file or in the OAM12cRequest_short.xml
file:
-
serverAddress
Specify the host and the port of the OAM Administration Server.
-
agentName
Specify any custom name for the agent.
-
agentBaseUrl
Specify the host and the port of the machine on which Oracle Traffic Director 12c (12.2.1.4.0) WebGate is installed.
-
preferredHost
Specify the host and the port of the machine on which Oracle Traffic Director 12c (12.2.1.4.0) WebGate is installed.
-
security
Specify the security mode, such as
open
, based on the WebGate installed. -
primaryServerList
Specify the host and the port of Managed Server for the Oracle Access Manager proxy, under a
Server
container element.
After modifying the file, save and close it.
Using the In-Band Mode
If you run the RREG tool once after updating the WebGate parameters in the OAM12cRequest.xml
file, the files and artifacts required by WebGate are generated in the following directory:
On UNIX:
RREG_Home
/output/
agent_name
On Windows:
RREG_Home
\output\
agent_name
Note:
You can run RREG either on a client machine or on the server. If you are running it on the server, you must manually copy the artifacts back to the client.
Complete the following steps:
-
Open the
OAM12cRequest.xml
file, which is inRREG_Home
/input/
on UNIX andRREG_Home
\input
on Windows.RREG_Home
is the directory on which you extracted the contents ofRREG.tar.gz/rreg
.Edit the XML file and specify parameters for the new Oracle Traffic Director WebGate for Oracle Access Manager.
-
Run the following command:
On UNIX:
./
RREG_Home
/bin/oamreg.sh inband input/OAM12cRequest.xml
On Windows:
RREG_Home
\bin\oamreg.bat inband input\OAM12cRequest.xml
Using the Out-Of-Band Mode
If you are an end user with no access to the server, you can e-mail your updated OAM12cRequest.xml
file to the system administrator, who can run RREG in the out-of-band mode. You can collect the generated AgentID
_Response.xml
file from the system administrator and run RREG on this file to obtain the WebGate files and artifacts you require.
After you receive the generated AgentID
_Response.xml
file from the administrator, you must manually copy the file to the input
directory on your machine.
-
On UNIX
Complete the following steps:
-
If you are an end user with no access to the server, open the
OAM12cRequest.xml
file, which is inRREG_Home
/input/
.RREG_Home
is the directory on which you extracted the contents ofRREG.tar.gz/rreg
. Edit this XML file and specify parameters for the new Oracle Traffic Director WebGate for Oracle Access Manager. Send the updated file to your system administrator. -
If you are an administrator, copy the updated
OAM12cRequest.xml
file, which is inRREG_Home
/input/
directory.This is the file that you received from the end user. Go to your (administrator's)
RREG_Hom
e directory and run the following command:./
RREG_Home
/bin/oamreg.sh outofband input/OAM12cRequest.xml
An
Agent_ID
_Response.xml
file is generated in theoutput
directory on the administrator's machine, in theRREG_Home
/output/
directory. Send this file to the end user who sent you the updatedOAM12cRequest.xml
file. -
If you are an end user, copy the generated
Agent_ID
_Response.xml
file, which is inRREG_Home
/input/
.This is the file that you received from the administrator. Go to your (client's) RREG home directory and run the following command on the command line:
./
RREG_Home
/bin/oamreg.sh outofband input/
Agent_ID
_Response.xml
Note:
If you register the WebGate agent by using the Oracle Access Manager Administration Console, as described in "Registering an OAM Agent Using the Consolein the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management, you must manually copy the files and artifacts generated after the registration from the server (the machine on which the Oracle Access Manager Administration Console is running) to the client machine. The files and artifacts are generated in the
$(Oracle_Home)
/user_projects/domains/
name_of_the_WebLogic_domain_for_OAM
/output
/Agent_ID
directory. -
-
On Windows
Complete the following steps:
-
If you are an end user with no access to the server, open the
OAM12cRequest.xml
file, which is inRREG_Home
\input\
directory.RREG_Home
is the directory in which you extracted the contents ofRREG.tar.gz/rreg
. Edit this XML file, specify parameters for the new Oracle Traffic Director WebGate for Oracle Access Manager, and send the updated file to your system administrator. -
If you are an administrator, copy the updated
OAM12cRequest.xml
file, which is inRREG_Home
\input\
. This is the file you received from the end user. Go to your (administrator's)RREG_Home
directory and run the following command:RREG_Home
\bin\oamreg.bat outofband input\OAM12cRequest.xml
An
Agent_ID
_Response.xml
file is generated on the administrator's machine in theRREG_Home\
output\
directory. Send this file to the end user who sent you the updatedOAM12cRequest.xml
file. -
If you are an end user, copy the generated
Agent_ID
_Response.xml
file, which is inRREG_Home
\input\
. This is the file you received from the administrator. Go to your (client's) RREG home directory and run the following command:RREG_Home
\bin\oamreg.bat outofband input\
Agent_ID
_Response.xml
Note:
If you register the WebGate agent by using the Oracle Access Manager Administration Console, as described in "Registering an OAM Agent Using the Console in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management, you must manually copy the files and artifacts generated after the registration from the server (the machine on which the Oracle Access Manager Administration Console is running) to the client machine. The files and artifacts are generated in the
$(Oracle_Home)
/user_projects/domains/
name_of_the_WebLogic_domain_for_OAM
/output
/Agent_ID
directory. -
Files and Artifacts Generated by RREG
Regardless of the method or mode you use to register the new WebGate agent, the following files and artifacts are generated in the RREG_Home
/output/
Agent_ID
directory:
-
wallet/cwallet.sso
-
cwallet.sso
-
ObAccessClient.xml
-
In the SIMPLE mode, RREG generates:
-
password.xml
, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be the same as the passphrase used on the server. -
aaa_key.pem
-
aaa_cert.pem
-
-
In the CERT mode, RREG generates
password.xml
, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.Note:
You can use these files generated by RREG to generate a certificate request and get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existing
aaa_cert.pem
andaaa_chain.pem
files along withpassword.xml
andaaa_key.pem
.
Copying Generated Files and Artifacts to the Oracle Traffic Director WebGate Instance Location
After RREG generates these files and artifacts, you must manually copy them, based on the security mode you are using, from the RREG_Home
/output/
Agent_ID
directory to the webgate_instanceDirectory
directory.
Do the following according to the security mode you are using:
-
In OPEN mode, copy the following files from the
RREG_Home
/output/
Agent_ID
directory to thewebgate_instanceDirectory
/webgate/config
directory:-
wallet
-
ObAccessClient.xml
-
cwallet.sso
-
-
In SIMPLE mode, copy the following files from the
RREG_Home
/output/
Agent_ID
directory to thewebgate_instanceDirectory
/webgate/config
directory:-
wallet
-
ObAccessClient.xml
-
cwallet.sso
-
password.xml
In addition, copy the following files from the
RREG_Home
/output/
Agent_ID
directory to thewebgate_instanceDirectory
/webgate/config/simple
directory:-
aaa_key.pem
-
aaa_cert.pem
-
-
In CERT mode, copy the following files from the
RREG_Home
/output/
Agent_ID
directory to thewebgate_instanceDirectory
/webgate/config
directory:-
wallet
-
ObAccessClient.xml
-
cwallet.sso
-
password.xml
-
Generating a New Certificate
You can generate a new certificate as follows:
-
Go to the
$(Oracle_Home)/webgate/otd/tools/openssl
directory. -
Create a certificate request as follows:
./openssl req -utf8 -new -nodes -config openssl_silent_otd12c.cnf -keyout aaa_key.pem -out aaa_req.pem -rand
$(Oracle_Home)/webgate/otd/config/random-seed/
-
Self-sign the certificate as follows:
./openssl ca -config openssl_silent_otd12c.cnf -policy policy_anything -batch -out aaa_cert.pem -infiles aaa_req.pem
-
Copy the following generated certificates to the
webgate_instanceDirectory
/webgate/config
directory:-
aaa_key.pem
-
aaa_cert.pem
-
cacert.pem
located in thesimpleCA
directoryNote:
After copying the
cacert.pem
file, you must rename the file toaaa_chain.pem
.
-
Migrating an Existing Certificate
If you want to migrate an existing certificate (aaa_key.pem, aaa_cert.pem,
and aaa_chain.pem
), ensure that you use the same passphrase that you used to encrypt aaa_key.pem
. You must enter the same passphrase during the RREG registration process. If you do not use the same passphrase, the password.xml
file generated by RREG does not match the passphrase used to encrypt the key.
If you enter the same passphrase, you can copy these certificates as follows:
-
Go to the
webgate_instanceDirectory
/webgate/config
directory. -
Copy the following certificates to the
webgate_instanceDirectory
/webgate/config
directory:-
aaa_key.pem
-
aaa_cert.pem
-
aaa_chain.pem
-
Restarting the Oracle Traffic Director Instance
For information about restarting the Oracle Traffic Director instance, see "Starting, Stopping, and Restarting Oracle Traffic Director Instances by Using WLST" in Administering Oracle Traffic Director.
If you have configured Oracle Traffic Director in a WebLogic Server domain, you can also use Oracle Fusion Middleware Control to restart the Oracle Traffic Director Instances. For more information, see "Starting, Stopping, and Restarting Oracle Traffic Director Instances Using Fusion Middleware Control" in Administering Oracle Traffic Director.
For a standalone instance, you can restart from Domain_Home
/config/fmwconfig/components/OTD/instances/
Instance_Name
/bin
using the ./restart
command.