Before You Begin
This tutorial shows you how to validate a basic SSO flow using Oracle HTTP Server and WebGate after configuring OAM on OCI MarketPlace.
Background
The Oracle Access Management application is available on the Oracle Cloud Infrastructure Marketplace and allows you to quickly deploy an instance of Oracle Access Management for testing and development only. With OAM running on OCI, you may want to test a SSO flow using OHS and WebGate.
The instructions in this tutorial explain how to install and configure Oracle HTTP Server (OHS) and WebGate on the bastion host to validate the basic SSO flow using WebGate.
If you prefer to test using an on-premises WebGate then your corporate network must have direct connectivity to the public internet. If your corporate network doesn't have direct connectivity then contact OCI to configure Fast Connect to connect your corporate network to OCI. If you prefer to use an on-premises WebGate you can start from the section titled Update the OAM Hostname and Port for the Load balancer.
Note: At present it is not supported to install OHS and WebGate in a Kubernetes cluster.
What Do You Need?
- To have completed the tutorial Deploying Oracle Access Management on Oracle Cloud Infrastructure
- An SSH connection to the bastion host
- The external ip address load balancer
- A machine with a VNC client installed
Prepare the Bastion Host for OHS installation
In this section you prepare the bastion host for the OHS and WebGate installation by installing VNC and Firefox. In order to install OHS on the bastion host, VNC server needs to be installed and a secure SSH tunnel created so the VNC Client can connect successfully:
- Connect to the bastion host using the
cluster.key
file:
$ ssh -i cluster.key opc@<bastion_ip>
- On the bastion host run the following commands to install VNC and Firefox:
$ sudo yum -y install tigervnc-server $ sudo yum -y install xterm $ sudo yum install firefox
- Start the VNC Server by running the following command. Enter a password of your choice when prompted:
The output will look similar to the following:$ vncserver :1
You will require a password to access your desktops. Password: Verify: Would you like to enter a view-only password (y/n)? y Password: Verify: xauth: file /home/opc/.Xauthority does not exist New 'bastion:1 (opc)' desktop is bastion:1 Creating default startup script /home/opc/.vnc/xstartup Creating default config /home/opc/.vnc/config Starting applications specified in /home/opc/.vnc/xstartup Log file is /home/opc/.vnc/bastion:1.log [opc@bastion ~]$
- On the machine where your VNC client is installed, create a secure SSH tunnel. This tunnel will redirect the VNC output of the bastion host to your
localhost
on port5901
:
Note: On Windows you can use PowerShell and run the same command.$ ssh -L 5901:localhost:5901 -i '<path>/cluster.key' opc@<bastion_ip>
- On the machine where your client VNC client is installed, start the VNC client and connect to
localhost:5901
. Enter the password that you entered earlier. - In the VNC session run the following command to allow access to the X server:
xhost +
Install OHS and WebGate on the Bastion Host
In this section you install the required OS packages on the bastion host, and download and install OHS and WebGate 12.2.1.4.0. All the instructions below are to be run inside the VNC client session.
- In a terminal window run the following commands to install the required OS packages:
$ sudo yum install compat-libcap1-1.10 $ sudo yum install compat-libstdc++-33-3.2.3 $ sudo yum install libstdc++-devel-4.8.5
$ sudo yum install gcc-4.8.5
$ sudo yum install gcc-c++-4.8.5
$ sudo yum install ksh
$ sudo yum install libaio-devel-0.3.109 - Launch Firefox by running
firefox&
in a terminal window and access the Oracle Technology Network download page for Web Tier 12cR2 (12.2.1.4.0). - Under Oracle HTTP Server 12.2.1.4, select Linux 64-bit. Accept the license agreement and download the Oracle HTTP Server 12.2.1.4.0 software,
fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip
. - Move the file from
$HOME/Downloads
to a directory for example$HOME/stage
and unzip it. - Run the following command to install OHS (ignore any prerequisite check failures):
$ cd $HOME/stage
$ ./fmw_12.2.1.4.0_ohs_linux64.bin - Follow the table below to guide you through the installation screens:
Window Choices or Values Installation Inventory Setup Inventory Directory: /home/opc/oraInventory
Operating System Group:opc
Welcome Click Next Auto Updates Click Next Installation Location Oracle Home: /home/opc/Oracle/Middleware/Oracle_Home
Installation Type Standalone HTTP Server (Managed independently of WebLogic Server) JDK Selection JDK Home:
/home/opc/Oracle/Middleware/Oracle_Home/oracle_common/jdk/jre
Prerequisite Checks Click Next Installation Summary Click Install.
The Installation Progress screen will appearInstallation Complete Click Finish
Configure OHS
In this section you configure OHS, start up Node Manager and OHS. All the instructions below are to be run inside the VNC client session.
- In a terminal window run the following command to launch the Configuration Wizard:
$ cd /home/opc/Oracle/Middleware/Oracle_Home/oracle_common/common/bin
$ ./config.sh - Follow the table below to guide you through the configuration screens:
Window Choices or Values Create Domain Select Create a new Domain
Domain Location:/home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain
Templates Select Oracle HTTP Server (Standalone) JDK Selection Click Next System Components Click Next OHS Server Click Next Node Manager Select Per Domain Default Location
Username:weblogic
Password:<password>
Confirm Password:
<password>
Configuration Summary Click Create Configuration Progress Click Next End of Configuration Click Finish - Run the following command to start the Node Manager:
$ cd /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin
$ nohup ./startNodeManager.sh > nm.out& - Run the following command to start OHS and enter the password for Node Manager when prompted:
The output should look similar to the following:$ ./startComponent.sh ohs1
Starting system Component ohs1 ... Initializing WebLogic Scripting Tool (WLST) ... Welcome to WebLogic Server Administration Scripting Shell Type help() for help on available commands Reading domain from /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain Please enter Node Manager password: Connecting to Node Manager ... Successfully Connected to Node Manager. Starting server ohs1 ... Successfully started server ohs1 ... Successfully disconnected from Node Manager. Exiting WebLogic Scripting Tool. Done $
- In Firefox access the OHS home page using the URL
http://localhost:7777
.
Update the OAM Hostname and Port for the Load balancer
In this section you update OAM to reference the external ip address and port of the load balancer.
- In Firefox access the OAM console (
https://<external-ip>/oamconsole
). Login with the weblogic username and password (weblogic/<password>
). - Navigate to Configuration → Settings ( View ) → Access Manager.
- Under Load Balancing modify the OAM Server Host and OAM Server Port, to point to the Load balancer endpoint (e.g.
<external-ip>
and443
respectively). In the OAM Server Protocol drop down list select https. - Under WebGate Traffic Load Balancer modify the OAM Server Host and OAM Server Port, to point to the Load balancer HTTPS endpoint (e.g. <
external-ip
> and443
respectively). In the OAM Server Protocol drop down list select https. - Click Apply.
Register a WebGate Agent for OHS
In this section you register the WebGate for your OHS with OAM. All the instructions below are to be run inside the VNC client session. Note: If you chose to use an on-premises OHS and WebGate and didn't install on the bastion host, run the commands in your Linux terminal and change the paths, directories and parameters for your installation accordingly.
- Run the following command to deploy the WebGate instance:
The output will look similar to the following:$ cd /home/opc/Oracle/Middleware/Oracle_Home/webgate/ohs/tools/deployWebGate
$ ./deployWebGateInstance.sh -w /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/ -oh /home/opc/Oracle/Middleware/Oracle_HomeCopying files from WebGate Oracle Home to WebGate Instancedir
- Run the following command to update the OHS configuration files appropriately:
The output will look similar to the following:$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/opc/Oracle/Middleware/Oracle_Home/lib/ $ cd /home/opc/Oracle/Middleware/Oracle_Home/webgate/ohs/tools/setup/InstallTools $ ./EditHttpConf -w /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1 -oh /home/opc/Oracle/Middleware/Oracle_Home
The web server configuration file was successfully updated /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf has been backed up as /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf.ORI
- In a browser access the OAM console (
https://<external-ip>/oamconsole
). Login with the weblogic username and password (weblogic/<password>
). Note: If OHS and WebGate is on the bastion host then use the browser in the VNC session. - Navigate to Application Security , Quick Start Wizard, SSO Agent Registration.
- Select Agent Type: Webgate and click Next.
- On the Configure WebGate page enter details as follows, and then click Finish:
- Click Download and save the file.
- In a terminal window run the following command to copy the WebGate files to the appropriate directory:
The output will look similar to the following:$ cd /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/webgate/config $ unzip /home/opc/Downloads/localhost_7777.zip
Archive: localhost_7777.zip inflating: wallet/cwallet.sso.lck inflating: wallet/cwallet.sso inflating: cwallet.sso.lck inflating: cwallet.sso inflating: ObAccessClient.xml
- Copy the loadbalancer certificate to the current directory and rename it to cacert.pem as follows:
$ cp
/home/opc/tls-nginx.crt cacert.pem - Restart the OHS server. Enter the Node Manager password when prompted:
$ cd /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin
$ ./stopComponent.sh ohs1
$ ./startComponent.sh ohs
1
Property Name | Value |
Name | localhost_7777 |
Base URL | http://localhost:7777 |
Host Identifier | localhost_7777 |
Security | Open |
Auto Create Policies | Selected |
Public Resource List | Click Add and specify the Relative URI as /public/index.html |
Note: If you have configured an on-premises WebGate then change the Base URL etc accordingly.
Test the WebGate
In this section you test the WebGate configuration is working and you can access the OHS home page. For installs on the bastion host, access the browser from the VNC session.
- In the browser access the OHS home page using the URL
http://localhost:7777
. You should be redirected to the OAM SSO login page (notice that the redirect URL now points to OAM serverhttps://<external-ip
>)
. - Log in as
weblogic/<password>
. The OHS Welcome page should be displayed.
Next Tutorial
Want to Learn More?
Cloud Infrastructure MarketPlace
Oracle Access Management
Using VNC securely in Oracle Cloud Infrastructure
Feedback
To provide feedback on this tutorial, please contact Identity Management User Assistance.