Create and Configure a WebGate in Oracle Access Management 12c Sandbox Environment

Introduction

This tutorial shows you how to configure WebGate 12c for Oracle HTTP Server and Oracle Access Management 12c.

This is the eighth and final tutorial in the series Creating an Oracle Access Management 12c Sandbox Environment for Oracle Advanced Authentication and they should be read sequentially.

Objective

Oracle WebGate is a Web server plug-in that intercepts HTTP requests and forwards them to an Oracle Access Management instance for authentication and authorization.

Prerequisites

To have followed Install and Configure Oracle HTTP Server for Oracle Access Management 12c Sandbox Environment.

All the tasks in this tutorial should be performed on the OHS linux server (ohs.example.com). Where hostnames (ohs.example.com) or domain names (example.com) are referenced, change to match your environment.

Configure the Oracle WebGate

  1. On the OHS server (ohs.example.com), launch a terminal window as oracle and enter the following command:

    cd /u01/app/oracle/product/middlewareohs/webgate/ohs/tools/deployWebGate
./deployWebGateInstance.sh -w \
/u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1 \
-oh /u01/app/oracle/product/middlewareohs/

    The output should look similar to the following:

    Copying files from WebGate Oracle Home to WebGate Instancedir

  2. Check that a webgate directory and subdirectories were created:

    ls -lart /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/webgate

    The output should look similar to the following:

    total 16
drwxr-x--- 7 oracle oinstall 4096 <DATE> ..
drwxr-xr-x 4 oracle oinstall 33   <DATE> .
drwxr-xr-x 3 oracle oinstall 21   <DATE> tools
drwxr-xr-x 3 oracle oinstall 47   <DATE> config

  3. Run the following commands:

    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u01/app/oracle/product/middlewareohs/lib
cd /u01/app/oracle/product/middlewareohs/webgate/ohs/tools/setup/InstallTools
./EditHttpConf -w /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1 \
-oh /u01/app/oracle/product/middlewareohs/

    The output should look similar to the following:

    The web server configuration file was successfully updated
/u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf
has been backed up as 
/u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf.

Enable OAM Rest OAP Calls

In Oracle Access Manager 12c, WebGate interacts with Oracle Access Manager through REST API calls. In order for WebGate to have unrestricted access to these Rest APIs, you need to update the webgate.conf file.

  1. Edit the /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/webgate.conf file and add the following lines:

    <LocationMatch "/iam/access/binding/api/v10/oap">
 require all granted
</LocationMatch>

Add the OHS Certificate to WebGate and Configure REST Endpoints

Oracle WebGate 12c uses REST calls to interact with Oracle Access Manager 12c. To ensure that the communication works properly, you have to copy the OHS certificate to the WebGate configuration and ensure that the REST endpoints are set correctly.

Copy the OHS CA Certificate to WebGate Config

  1. Copy the OHS CA certificate to /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/webgate/config and rename the file to cacert.pem:

    cd /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/webgate/config
cp /stage/OHS12c/ssl/cacert.crt cacert.pem

Ensure that the REST Endpoints are Set Correctly

To ensure that the REST endpoints are set correctly:

  1. Log in to the OAM Console using your oam administrator account (oamadmin).

  2. Click Agents.

  3. Click Search.

  4. Locate and click the name of the Webgate_IDM agent from the search results to bring up the edit screen.

  5. Expand the User Properties screen and check that the following parameters are defined correctly:

    • OAMRestEndPointHostName = ohs.example.com
    • OAMRestEndPointPort = 443
    • OAMServerCommunicationMode = HTTPS

  6. Click Apply.

Copying WebGates Artifacts to OHS

When you created your Oracle Access Management installation, a WebGate called Webgate_IDM was created. In order for WebGate to communicate with the Access servers, you must copy the artifacts associated with this WebGate to the OHS.

  1. Copy the /stage/OAM12c/webgate.tar from the OAM server (oam.example.com) to the /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/webgate/config directory on the OHS server (ohs.example.com).

  2. On the OHS server run the following command:

    cd /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/webgate/config
tar xvf webgate.tar

Restart OHS

  1. Launch a terminal window as oracle and run the commands below to stop all the servers. Enter the <password> when prompted:

    cd /u01/app/oracle/admin/domains/ohs_domain/bin
./stopComponent.sh ohs1
./startComponent.sh ohs1

Set Up the WebLogic Server Authentication Providers

To set up the WebLogic Server authentication providers, back up the configuration files, set up the Oracle Access Manager Identity Assertion Provider, and set the order of provider.

Backing Up Configuration Files

  1. On the OAM server (oam.example.com) make a copy of the following files:

    • /u01/app/oracle/admin/domains/oam_domain/config/config.xml
    • /u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/jps-config.xml
    • /u01/app/oracle/admin/domains/oam_domain/config/fmwconfig/system-jazn-data.xml
    • /u01/app/oracle/admin/domains/oam_domain/servers/AdminServer/security/boot.properties

Set Up the Oracle Access Manager Identity Assertion Provider

  1. Log in to the WebLogic Server Administration Console http://oam.example.com:7001/console.

  2. Click Lock & Edit.

  3. Click Security Realms in the left navigation bar.

  4. Click the myrealm default realm entry.

  5. Click the Providers tab.

  6. Click OAMIDAsserter.

  7. Select both the ObSSOCookie and OAM_REMOTE_USER options and move to Chosen, if they are not selected by default.

  8. Click Save to save the settings.

  9. Click Activate Changes to propagate the changes.

  10. Restart the OAM Administration Server. Launch a terminal window as oracle on the OAM server (oam.example.com) and enter the following commands:

    cd /u01/app/oracle/admin/domains/oam_domain/
./stopWebLogic.sh
./startWebLogic.sh

Test the WebGate

  1. Launch an Incognito or private browser. Access the OHS URL: https://ohs.example.com/console.

    You should be redirected to the OAM SSO login page.

  2. Log in as weblogic_iam/<password>.

    The WebLogic Server Administration Console should appear.

    Exit the browser.

  3. Launch an Incognito or private browser. Access the OHS URL: https://ohs.example.com/em.

    You should be redirected to the OAM SSO login page.

  4. Log in as weblogic_iam/<password>.

    The Oracle Enterprise Manager Fusion Middleware Control 12c console should appear.

    Logout and exit the browser.

  5. Launch an Incognito or private browser. Access the OHS URL: https://ohs.example.com/oamconsole.

You should be redirected to the OAM SSO login page.

  1. Log in as oamadmin/<password>.

    The Oracle Access Management console should appear.

    Logout and exit the browser.

Next Steps

The Oracle Access Management 12c sandbox environment is now complete.

You are now ready to install Oracle Advanced Authentication using the OAM 12c sandbox environment. See, Procedure for Installing OAA, OARM, and OUA.

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com.

Acknowledgements

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.