Install and Configure Oracle HTTP Server for Oracle Access Management 12c Sandbox Environment

Introduction

This tutorial shows you how to install and configure Oracle HTTP Server and WebGate 12c for use with Oracle Access Management 12c.

This is the seventh tutorial in the series Creating an Oracle Access Management 12c Sandbox Environment for Oracle Advanced Authentication and they should be read sequentially.

Objective

Most organizations use Oracle HTTP Server as a front end to access web applications. Oracle WebGate is used to protect web applications with Oracle Access Management.

Prerequisites

To have followed Configure Oracle Access Management 12c Sandbox Environment.

All the tasks in this tutorial should be performed on the OHS linux server (ohs.example.com). Where hostnames (ohs.example.com, oam.example.com) or domain names (example.com) are referenced, change to match your environment.

You must follow the Verifying Certification, System, and Interoperability Requirements and ensure all the required OS packages are installed before starting this tutorial.

This tutorial assumes you have created an OS user:group called oracle:oinstall.

Create the Required Directories

In this section you create the required directories for installation on the OHS server (ohs.example.com).

  1. Launch a terminal window as oracle and enter the following command to install the JDK:

    mkdir -p /u01/app/oracle/product
mkdir -p /u01/app/oraInventory
chown -R oracle:oinstall /u01/app/oracle/
chown -R oracle:oinstall /u01/app/oraInventory
chmod -R 775 /u01

Download the JDK

  1. Navigate to the Java Downloads page.
  2. Under Java SE Development Kit 8uXX, download the latest x64 Compressed Archive (for example jdk-8uXXX-linux-x64.tar.gz).
  3. Move the downloaded software to a staging directory, for example /stage/JDK.

Install Oracle JDK

  1. Launch a terminal window as oracle and enter the following command to install the JDK:

    cp /stage/JDK/jdk-8uXXX-linux-x64.tar.gz /u01/app/oracle/product/
cd /u01/app/oracle/product
tar -zxvpf jdk-8uXXX-linux-x64.tar.gz
mv jdk1.8.0_XXX jdk
rm jdk-8uXXX-linux-x64.tar.gz

  2. Validate the JDK installation by running the commands below:

    export JAVA_HOME=/u01/app/oracle/product/jdk 
$JAVA_HOME/bin/java -version

    The output should look similar to the following:

    java version "1.8.0_333"
Java(TM) SE Runtime Environment (build 1.8.0_333-b02)
Java HotSpot(TM) 64-Bit Server VM (build 25.333-b02, mixed mode)

  3. Enter the command vi $HOME/.bash_profile, enter the following variables and save the file:

    export JAVA_HOME=/u01/app/oracle/product/jdk
export PATH=$JAVA_HOME/bin:$PATH

  4. Repeat step 3 to include the JDK variables in the $HOME/.bashrc file. Exit the terminal window.

Download the Oracle HTTP Server 12c Software

In this section, you download Oracle HTTP Server (OHS) 12c software. In this release Oracle WebGate software is included in the Oracle HTTP Server installation.

  1. Launch a browser and navigate to Oracle Web Tier Downloads.

  2. Under Oracle HTTP Server 12.2.1.4, select Linux 64-bit. Accept the license agreement and download the Oracle HTTP Server 12.2.1.4.0 software, fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip.

  3. After the download is complete, move the zip file to a staging directory on the OHS server (ohs.example.com) e.g: /stage/OHS12c and unzip it.

Install Oracle HTTP Server 12c

  1. On the OHS server, (ohs.example.com), launch a terminal window as oracle and enter the following commands to install OHS:

    cd /stage/OHS12c
./fmw_12.2.1.4.0_ohs_linux64.bin

  2. Follow the table below to guide you through the installation screens:

    Step Window Description Choice or Values
    1 Installation Inventory Setup Inventory Directory: /u01/app/oraInventory Operating System Group: oinstall
    2 Welcome Click Next
    3 Auto Updates Skip Auto Updates
    4 Installation Location Oracle Home: /u01/app/oracle/product/middlewareohs/
    5 Installation Type Standalone HTTP Server (Managed independently of WebLogic Server
    6 JDK Selection JDK Home: /u01/app/oracle/product/jdk
    7 Prerequisite Checks Click Next
    8 Installation Summary Click Install
    9 Installation Progress Click Next
    10 Installation Complete Click Finish

    Note: The Saving the inventory section of the installer may take a long time to complete.

Configure HTTP Server

  1. Run the following command to launch the Configuration Wizard:

    cd /u01/app/oracle/product/middlewareohs/oracle_common/common/bin
./config.sh

  2. Follow the table below to guide you through the configuration screens:

    Step Window Description Choice or Values
    1 Create Domain Select Create a new domain

    Domain Location: /u01/app/oracle/admin/domains/ohs_domain
    2 Templates Oracle HTTP Server (Standalone)
    3 JDK Selection JDK Home: /u01/app/oracle/product/jdk
    4 System Components Click Next
    5 OHS Server Server Name: http://ohs.example.com:7777
    6 Node Manager Type Per Domain Default Location

    Username: weblogic

    Password and Confirm Password: password
    7 Configuration Summary Click Create
    8 Configuration Progress Click Next
    9 End of Configuration Click Finish

Start the Servers

  1. Launch a terminal window as oracle and run the following commands to start Node Manager:

    cd /u01/app/oracle/admin/domains/ohs_domain/bin
./startNodeManager.sh

  2. In another terminal window run the following commands to start Oracle HTTP Server. Enter the password when prompted:

    cd /u01/app/oracle/admin/domains/ohs_domain/bin
./startComponent.sh ohs1

    You should see the following if OHS started successfully:

    Successfully Connected to Node Manager.
Starting server ohs1 ...
Successfully started server ohs1 ...
Successfully disconnected from Node Manager.
Exiting WebLogic Scripting Tool.  Done

  3. Launch a browser and check the OHS is accessible by accessing the URL’s http://ohs.example.com:7777 and https://ohs.example.com:4443.

Configure SSL for OHS

Update OHS to run SSL on 443

In this section you update OHS to run on port 443.

  1. Launch a terminal window as oracle and run the following command:

    sudo su - root
chown root /u01/app/oracle/product/middlewareohs/ohs/bin/launch
chmod 4750 /u01/app/oracle/product/middlewareohs/ohs/bin/launch
exit

  2. As the oracle user, edit the /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/ssl.conf, change 4443 to 443 and save the file:

    Listen 443
...
...

#[VirtualHost] OHS_SSL_VH
<VirtualHost *:443>

    Also add the following under the VirtualHost:

    # Add the following
ServerName https://ohs.example.com
ServerAdmin you@your.address
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
RequestHeader set "X-Forwarded-Host" "ohs.example.com"

    For example:

    <VirtualHost *:443>

ServerName https://ohs.example.com
ServerAdmin you@your.address
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
RequestHeader set "X-Forwarded-Host" "ohs.example.com"

<IfModule ossl_module>
#  SSL Engine Switch:
#  Enable/Disable SSL for this virtual host.
SSLEngine on
...

  3. Edit the /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf and add the oracle user and group to the main server configuration, for example:

    # 'Main' server configuration
...
etc..
...
#ServerAdmin you@example.com

User oracle
Group oinstall

  4. Restart OHS. Enter the password when prompted:

    cd /u01/app/oracle/admin/domains/ohs_domain/bin
./stopComponent.sh ohs1
./startComponent.sh ohs1

  5. Launch a browser and check the OHS is accessible on 443 by accessing the URL http://ohs.example.com.

Creating Certificates and Wallets for OHS

The default OHS uses a self-signed certificate. While this certificate is generally fine for testing most functionality, if you are using this sandbox environment with Oracle Advanced Authenticaton, and want to test FIDO2 factors, you must use a valid certificate issued by a trusted certificate authority such as Verisign.

If you do not want to buy a certificate, you can generate your own Certificate Authority (CA) that will work with FIDO2. Note: This should be used for testing purposes only.

  1. Create a private key and CA certificate as follows. Enter a password for your private key, and enter the Distinguished Name information as appropriate:

    mkdir /stage/OHS12c/ssl/
cd /stage/OHS12c/ssl/
openssl req -new -x509 -keyout cakey.pem -out cacert.crt -days 3650

    The output will look similar to the following:

    Generating a RSA private key
.....................................+++++
.........................................+++++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:US
State or Province Name (full name) []:California
Locality Name (eg, city) [Default City]:Redwood Shores
Organization Name (eg, company) [Default Company Ltd]:Example Company
Organizational Unit Name (eg, section) []:Security
Common Name (eg, your name or your server's hostname) []:Example Company CA
Email Address []:security@example.com

  2. Create a file /stage/OHS12c/ssl/altnames.conf as follows:

    [req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
[req_distinguished_name]
C = US
ST = California
L = San Francisco
O = Example
OU = Example
CN = *.example.com
[v3_req]
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = ohs.example.com

    Change *.example.com and ohs.example.com respectively to the domain name and hostname.domain for your OHS server.

  3. Create a new wallet for OHS:

    export ORACLE_HOME=/u01/app/oracle/product/middlewareohs
export DOMAIN_HOME=/u01/app/oracle/admin/domains/ohs_domain
mkdir $DOMAIN_HOME/wallet
$ORACLE_HOME/oracle_common/bin/orapki wallet create -wallet $DOMAIN_HOME/wallet -auto_login_only

  4. Create a certificate request for your OHS certificate:

    $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $DOMAIN_HOME/wallet -dn 'CN=*.example.com,OU=Security,O=Example Company,L=Redwood Shores,ST=California,C=US' -keysize 4096 -addext_san DNS:ohs.example.com -auto_login_only

  5. Export the certificate request from the wallet:

    $ORACLE_HOME/oracle_common/bin/orapki wallet export -wallet $DOMAIN_HOME/wallet  -dn 'CN=*.example.com,OU=Security,O=Example Company,L=Redwood Shores,ST=California,C=US' -request /stage/OHS12c/ssl/ohscert.req

  6. Generate a certificate from the certificate request using your Certificate Authority:

    cd /stage/OHS12c/ssl/
openssl x509 -req -CA cacert.crt -CAkey cakey.pem -days 3650 -in ohscert.req -extfile altnames.conf -extensions v3_req -CAcreateserial -days 3650 > ohscert.crt

  7. Add the Certificate Authority certificate (cacert.crt) to the wallet:

    $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $DOMAIN_HOME/wallet -trusted_cert -cert /stage/OHS12c/ssl/cacert.crt -auto_login_only

  8. Add the OHS certificate to the wallet:

    $ORACLE_HOME/oracle_common/bin/orapki wallet add -wallet $DOMAIN_HOME/wallet -user_cert -cert ohscert.crt -auto_login_only

  9. Edit the /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/ssl.conf, change SSLWallet to the location of your wallet:

    SSLWallet /u01/app/oracle/admin/domains/ohs_domain/wallet

  10. Restart OHS. Enter the password when prompted:

    cd /u01/app/oracle/admin/domains/ohs_domain/bin
./stopComponent.sh ohs1
./startComponent.sh ohs1

  11. Load the Certificate Authority certificate (/stage/OHS12c/ssl/cacert.crt) into the Trusted Root Certificate Authorities store for any browser you want to access OHS from. See your browser vendor documentation on how to do this.

  12. Start a new incognito/private browser and access the URL http://ohs.example.com. The browser should not throw any errors now the certificate is genuine and trusted.

Configure OHS as a Proxy for OAM

In this section you configure OHS as a proxy for OAM URL’s.

Update OHS ssl.conf

  1. Edit the /u01/app/oracle/admin/domains/ohs_domain/config/fmwconfig/components/OHS/ohs1/ssl.conf and add the following <Location> directitves to the VirtualHost section. Change oam.example.com to the host.domain of your OAM server:

    <VirtualHost *:443>

ServerName https://ohs.example.com
ServerAdmin you@your.address
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
RequestHeader set "X-Forwarded-Host" "ohs.example.com"

##Add these below the above

<Location /oam>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /oam/services/rest/auth>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /oam/services/rest/access>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /oamfed>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

# OAM Forgotten Password Page
<Location /otpfp/>   
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /ms_oauth>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /oauth2>
WLSRequest ON
DynamicServerList OFF
WebLogicHost oam.example.com
WebLogicPort 14100
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
</Location>

<Location /.well-known/openid-configuration>
WLSRequest ON
DynamicServerList OFF
PathTrim /.well-known
PathPrepend /oauth2/rest
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /.well-known/oidc-configuration>
WLSRequest ON
DynamicServerList OFF
PathTrim /.well-known
PathPrepend /oauth2/rest
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /CustomConsent>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

<Location /iam/access>
WLSRequest ON
DynamicServerList OFF
WLCookieName OAMJSESSIONID
WLProxySSL ON
WLProxySSLPassThrough ON
WebLogicHost oam.example.com
WebLogicPort 14100
</Location>

# WebLogic Remote Console Access
#
<Location /console>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /management>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /consolehelp>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /em>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /oamconsole>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /access>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 14150
</Location>

<Location /iam/admin>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /oam/services/rest/11.1.2.0.0>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /oam/services/rest/ssa>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /oam/services>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

<Location /dms>
WLSRequest ON
DynamicServerList OFF
WLProxySSL ON
WLProxySSLPassThrough ON
WLCookieName OAMJSESSIONID
WebLogicHost oam.example.com
WebLogicPort 7001
</Location>

  2. Restart OHS. Enter the password when prompted:

    cd /u01/app/oracle/admin/domains/ohs_domain/bin
./stopComponent.sh ohs1
./startComponent.sh ohs1

Change OAM Load Balancing settings to OHS

  1. Launch a browser and access the WebLogic Server Console at http://oam.example.com:7001/oamconsole. Login as oamadmin/<password>.

  2. Navigate to Configuration and then under the Settings tile select View > Access Manager.

  3. Under WebGate Traffic Load Balancer set the following and click Apply:

    • OAM Server Host: ohs.example.com
    • OAM Server Protocol: https
    • OAM Server Port: 443

    For example:

  4. Launch a terminal on the OAM server (oam.example.com). Restart the oam_server1 server:

    cd /u01/app/oracle/admin/domains/oam_domain/bin
./stopManagedWebLogic.sh oam_server1
./startManagedWebLogic.sh oam_server1

Test the OHS URLS

  1. Launch a browser and check you can access the following URL’s:

Note: For the OAM URL’s you must close the browser and start a new one after accessing each URL. This is because the logout links in the OAM console will not work until performing tasks in the next tutorial.

Console or Page URL Username
Oracle Access Management Console https://ohs.oracle.com/oamconsole oamadmin
Oracle Access Management Console https://ohs.oracle.com/access oamadmin
Logout URL https://ohs.oracle.com/oam/server/logout  
Oracle Enterprise Manager Console https://ohs.oracle.com/em weblogic
WebLogic Administration Console https://ohs.oracle.com/console weblogic

Next Tutorial

Create and Configure a WebGate in Oracle Access Management 12c Sandbox Environment.

Feedback

To provide feedback on this tutorial, please contact idm_user_assistance_ww_grp@oracle.com.

Acknowledgements

More Learning Resources

Explore other labs on docs.oracle.com/learn or access more free learning content on the Oracle Learning YouTube channel. Additionally, visit education.oracle.com/learning-explorer to become an Oracle Learning Explorer.

For product documentation, visit Oracle Help Center.