Install and Configure Oracle HTTP Server for Oracle Access Management 12c

Introduction

This tutorial shows you how to install and configure Oracle HTTP Server and WebGate 12c for use with Oracle Access Management 12c.

This is the eighth tutorial in the series Getting Started with Oracle Access Management 12c. Read them sequentially.

Objective

Most organizations use Oracle HTTP Server as a front end to access web applications. Oracle WebGate is used to protect web applications with Oracle Access Management.

Prerequisites

To have followed Configure Oracle Unified Directory for Oracle Access Management 12c.

Download the Oracle HTTP Server 12c Software

In this section, you download Oracle HTTP Server (OHS) 12c software. In this release Oracle WebGate software is included in the Oracle HTTP Server installation.

  1. Launch a browser and navigate to Oracle Web Tier Downloads.

  2. Under Oracle HTTP Server 12.2.1.4, select Linux 64-bit. Accept the license agreement and download the Oracle HTTP Server 12.2.1.4.0 software, fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip.

  3. After the download is complete, move the zip file to a staging directory e.g: /stage/OHS12c and unzip it.

Install Oracle HTTP Server 12c

  1. Launch a terminal window as oracle and enter the following commands to install OHS:

    cd /stage/OHS12c
./fmw_12.2.1.4.0_ohs_linux64.bin

  2. Follow the table below to guide you through the installation screens:

    Step Window Description Choice or Values
    1 Welcome Click Next
    2 Auto Updates Skip Auto Updates
    3 Installation Location Oracle Home: /u01/app/oracle/product/middleware/
    4 Installation Type Collocated HTTP Server (Managed through WebLogic Server
    5 JDK Selection JDK Home: /u01/app/oracle/product/jdk
    6 Prerequisite Checks Click Next
    7 Installation Summary Click Install
    8 Installation Progress Click Next
    9 Installation Complete Click Finish

    Note: The Saving the inventory section of the installer may take a long time to complete.

Configure HTTP Server

  1. Launch a terminal window as oracle and enter the following commands to stop the WebLogic Admin Server:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./stopWebLogic.sh

  2. Run the following command to launch the Configuration Wizard:

    cd /u01/app/oracle/product/middleware/oracle_common/common/bin
./config.sh

  3. Follow the table below to guide you through the configuration screens:

    Step Window Description Choice or Values
    1 Create Domain Select Update an existing domain

    Domain Location: /u01/app/oracle/admin/domains/oam_domain
    2 Templates Oracle HTTP Server (Collocated)
    3 Database Configuration Type Get RCU Configuration
    4 Component Datasources Click Next
    5 JDBC Component Schema Test Click Next
    6 Advanced Configuration Click System Components

    System Component: ohs1
    7 System Components Click Add
    8 OHS Server Server Name: http://oam.example.com:7777
    9 Machine Click Next
    10 Assign System Components to Machines Select ohs1 and oam_machine and click the arrow to move ohs1 under oam_machine
    11 Configuration Summary Click Update
    12 Configuration Progress Click Next
    13 End of Configuration Click Finish

Start the Servers

  1. Launch a terminal window as oracle and run the following commands to start the WebLogic AdminServer:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./startWebLogic.sh

  2. In another terminal window run the following command:

    cp -R /u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/components/OHS/ohs1 /u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/components/OHS/instances

  3. In another terminal window run the following commands to stop and start Node Manager:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./stopNodeManager.sh
./startNodeManager.sh

  4. In another terminal window run the following commands to start Oracle HTTP Server. Enter the password when prompted:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./startComponent.sh ohs1

    You should see the following if OHS started successfully:

    Successfully Connected to Node Manager.
Starting server ohs1 ...
Successfully started server ohs1 ...
Successfully disconnected from Node Manager.
Exiting WebLogic Scripting Tool.  Done

  5. Launch a browser and check the OHS is accessible by accessing the URL http://oam.example.com:7777.

Configure SSL for OHS

In this section you configure SSL for OHS.

Configure Node Manager for SSL

In this section we update Node Manager to use the oam_keystore.jks.

  1. Edit the /u01/app/oracle/admin/domains/oam_domain/nodemanager/nodemanager.properties, add the following lines and save the file:

    KeyStores=CustomIdentityandCustomTrust
CustomIdentityKeyStoreFileName=/u01/app/oracle/admin/domains/oam_domain/keystore/oam_keystore.jks
CustomIdentityAlias=server_cert
CustomIdentityPrivateKeyPassPhrase=<password>
CustomTrustKeyStoreFileName=/u01/app/oracle/admin/domains/oam_domain/keystore/oam_keystore.jks

  2. Restart Node Manager:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./stopNodeManager.sh
./startNodeManager.sh

Create a Stripe

  1. Launch a browser and access Oracle Fusion Middleware Control: https://oam.example.com:7002/em. Login as weblogic/<password>.

  2. Navigate to WebLogic Domain > Security > Keystore. Click on Create Stripe.

  3. Enter a Stripe Name called OHS and click OK.

Create a Keystore for OHS

  1. From the navigation menu (top left), select HTTP Server > ohs1.

  2. From the drop down menu select Oracle HTTP Server > Security > Keystore.

  3. Click on Create Keystore, enter Keystore Name as ohs1_keystore and click OK.

  4. Select the new keystore and click Manage.

  5. Click on Generate Keypair and CSR. Enter the fields as follows and click OK:

    • Alias: ohs_cert
    • Common name: oam.example.com
    • Country: US

    The rest of the fields can be left as is.

  6. In the Generate CSR window that appears, click Export CSR and export to a file name ohs_cert.csr. Click Close.

  7. The CSR should be sent to a Certificate Authority (CA) of your choice in order to generate a certificate. The CA should send back the server certificate and root CA certificate(s) that signed the certificate. For the purposes of this tutorial the certificates returned are saved as ohs_cert.crt and ca.crt for the server certificate and CA certifcate respectively.

    Note: If you do not have a CA and you generated your own CA in the previous tutorial, you can generate the certificate as follows:

    cd /stage/ssl
openssl x509 -req -days 36500 -in ohs_cert.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out ohs_cert.crt

    The output will look similar to the following:

    Signature ok
subject=/C=US/CN=oam.example.com
Getting CA Private Key

Import the Certificates

  1. From the navigation menu (top left), select HTTP Server > ohs1

  2. From the drop down menu select Oracle HTTP Server > Security > Keystore and click Manage.

  3. Click on Import.

  4. In the Certificate Type, select Trusted Certificate. Enter the alias as ca_cert and either paste the contents of the root CA certificate ca.crt or select the ca.crt file and click OK.

    Note: If your CA has more than one CA certificate in the chain, then you must repeat the above for each certificate using a different alias each time.

  5. Click on Import again, and import the ohs_cert.crt. From the alias drop down menu select ohs_cert and either paste the contents of the ohs_cert.crt or select the file and click OK.

Import the Trusted Certificate to WebLogic Domain

  1. From the navigation menu (top left), select WebLogic Domain > oam_domain.

  2. From the WebLogic Domain drop down menu select Security > Keystore.

  3. Expand system and select trust. Click Manage.

  4. In the Manage Certificates: system/trust, click Import.

  5. In the Certificate Type, select Trusted Certificate. Enter the alias as ca_cert and either paste the contents of the root CA certificate ca.crt or select the ca.crt file and click OK.

    Note: If your CA has more than one CA certificate in the chain, then you must repeat the above for each certificate using a different alias each time.

Export the Keystore to a Wallet

  1. From the navigation menu (top left), select HTTP Server > ohs1.

  2. From the drop down menu select Oracle HTTP Server > Security > Keystore.

  3. Click the padlock (top right hand corner) and select Lock and Edit.

  4. Select the ohs1_keystore and click Export Keystore to Wallet.

    Note: This does not download a file, but creates the cwallet.sso directly on the file system where OHS resides.

  5. Click the padlock (top right hand corner) and select Activate Changes.

Enable SSL for OHS

  1. Click the padlock (top right hand corner) and select Lock and Edit.

  2. Navigate to Oracle HTTP Server > Administration > Virtual Hosts.

  3. Select :4443 and click Configure > SSL Configuration.

  4. In the Server Wallet Name, from the drop down menu select the path to the ohs1_keystore. Click OK.

  5. Click the padlock (top right hand corner) and select Activate Changes.

  6. Click Restart to restart OHS.

  7. Launch a browser and check the OHS is accessible via HTTPS by accessing the URL https://oam.example.com:4443.

Next Tutorial

Create and Configure a WebGate.

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com.

Acknowledgements