Before You Begin

This tutorial shows you how to validate a basic SSO flow using Oracle HTTP Server and WebGate after configuring OAM on OCI MarketPlace.

Background

The Oracle Access Management application is available on the Oracle Cloud Infrastructure Marketplace and allows you to quickly deploy an instance of Oracle Access Management for testing and development only. With OAM running on OCI, you may want to test a SSO flow using OHS and WebGate.

The instructions in this tutorial explain how to install and configure Oracle HTTP Server (OHS) and WebGate on the bastion host to validate the basic SSO flow using WebGate.

If you prefer to test using an on-premises WebGate then your corporate network must have direct connectivity to the public internet. If your corporate network doesn't have direct connectivity then contact OCI to configure Fast Connect to connect your corporate network to OCI. If you prefer to use an on-premises WebGate you can start from the section titled Update the OAM Hostname and Port for the Load balancer.

Note: At present it is not supported to install OHS and WebGate in a Kubernetes cluster.

What Do You Need?

• To have completed the tutorial Deploying Oracle Access Management on Oracle Cloud Infrastructure
• An SSH connection to the bastion host
• The external ip address load balancer
• A machine with a VNC client installed

Prepare the Bastion Host for OHS installation

In this section you prepare the bastion host for the OHS and WebGate installation by installing VNC and Firefox. In order to install OHS on the bastion host, VNC server needs to be installed and a secure SSH tunnel created so the VNC Client can connect successfully:

1. Connect to the bastion host using the cluster.key file:
   

   $ ssh -i cluster.key opc@<bastion_ip>

2. On the bastion host run the following commands to install VNC and Firefox:

   $ sudo yum -y install tigervnc-server
   $ sudo yum -y install xterm
   $ sudo yum install firefox
   

3. Start the VNC Server by running the following command. Enter a password of your choice when prompted:

   $ vncserver :1

   The output will look similar to the following:

   You will require a password to access your desktops.
   Password:
   Verify:
   Would you like to enter a view-only password (y/n)? y
   Password:
   Verify:
   xauth:  file /home/opc/.Xauthority does not exist
   New 'bastion:1 (opc)' desktop is bastion:1
   
   Creating default startup script /home/opc/.vnc/xstartup
   Creating default config /home/opc/.vnc/config
   Starting applications specified in /home/opc/.vnc/xstartup
   Log file is /home/opc/.vnc/bastion:1.log
   [opc@bastion ~]$

4. On the machine where your VNC client is installed, create a secure SSH tunnel. This tunnel will redirect the VNC output of the bastion host to your localhost on port 5901:

   $ ssh -L 5901:localhost:5901 -i '<path>/cluster.key' opc@<bastion_ip>

   Note: On Windows you can use PowerShell and run the same command.
5. On the machine where your client VNC client is installed, start the VNC client and connect to localhost:5901. Enter the password that you entered earlier.
6. In the VNC session run the following command to allow access to the X server:

   xhost +

Install OHS and WebGate on the Bastion Host

In this section you install the required OS packages on the bastion host, and download and install OHS and WebGate 12.2.1.4.0. All the instructions below are to be run inside the VNC client session.

1. In a terminal window run the following commands to install the required OS packages:

   $ sudo yum install compat-libcap1-1.10
   $ sudo yum install compat-libstdc++-33-3.2.3
   $ sudo yum install libstdc++-devel-4.8.5
   $ sudo yum install gcc-4.8.5
   $ sudo yum install gcc-c++-4.8.5
   $ sudo yum install ksh
   $ sudo yum install libaio-devel-0.3.109
   

2. Launch Firefox by running firefox& in a terminal window and access the Oracle Technology Network download page for Web Tier 12cR2 (12.2.1.4.0).
3. Under Oracle HTTP Server 12.2.1.4, select Linux 64-bit. Accept the license agreement and download the Oracle HTTP Server 12.2.1.4.0 software, fmw_12.2.1.4.0_ohs_linux64_Disk1_1of1.zip.
4. Move the file from $HOME/Downloads to a directory for example $HOME/stage and unzip it.
5. Run the following command to install OHS (ignore any prerequisite check failures):

   $ cd $HOME/stage
   $ ./fmw_12.2.1.4.0_ohs_linux64.bin

6. Follow the table below to guide you through the installation screens:
   

   Window	Choices or Values
   Installation Inventory Setup	Inventory Directory: /home/opc/oraInventory Operating System Group: opc
   Welcome	Click Next
   Auto Updates	Click Next
   Installation Location	Oracle Home: /home/opc/Oracle/Middleware/Oracle_Home
   Installation Type	Standalone HTTP Server (Managed independently of WebLogic Server)
   JDK Selection	JDK Home:  /home/opc/Oracle/Middleware/Oracle_Home/oracle_common/jdk/jre
   Prerequisite Checks	Click Next
   Installation Summary	Click Install. The Installation Progress screen will appear
   Installation Complete	Click Finish

Configure OHS

In this section you configure OHS, start up Node Manager and OHS. All the instructions below are to be run inside the VNC client session.

1. In a terminal window run the following command to launch the Configuration Wizard:

   $ cd /home/opc/Oracle/Middleware/Oracle_Home/oracle_common/common/bin
   $ ./config.sh     

2. Follow the table below to guide you through the configuration screens:
   
   

   Window	Choices or Values
   Create Domain	Select Create a new Domain Domain Location: /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain
   Templates	Select Oracle HTTP Server (Standalone)
   JDK Selection	Click Next
   System Components	Click Next
   OHS Server	Click Next
   Node Manager	Select Per Domain Default Location Username: weblogic Password: <password> Confirm Password: <password>
   Configuration Summary	Click Create
   Configuration Progress	Click Next
   End of Configuration	Click Finish

3. Run the following command to start the Node Manager:

   $ cd /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin
   $ nohup ./startNodeManager.sh > nm.out&

4. Run the following command to start OHS and enter the password for Node Manager when prompted:

   $ ./startComponent.sh ohs1

   The output should look similar to the following:

   Starting system Component ohs1 ...
   Initializing WebLogic Scripting Tool (WLST) ...
   Welcome to WebLogic Server Administration Scripting Shell
   Type help() for help on available commands
   Reading domain from /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain
    
   Please enter Node Manager password:
   Connecting to Node Manager ...
   Successfully Connected to Node Manager.
   Starting server ohs1 ...
   Successfully started server ohs1 ...
   Successfully disconnected from Node Manager.
   
   Exiting WebLogic Scripting Tool.
   Done
   $

5. In Firefox access the OHS home page using the URL http://localhost:7777.

Update the OAM Hostname and Port for the Load balancer

In this section you update OAM to reference the external ip address and port of the load balancer.

1. In Firefox access the OAM console (https://<external-ip>/oamconsole). Login with the weblogic username and password (weblogic/<password>).
2. Navigate to Configuration → Settings ( View ) → Access Manager.
3. Under Load Balancing modify the OAM Server Host and OAM Server Port, to point to the Load balancer endpoint (e.g. <external-ip> and 443 respectively). In the OAM Server Protocol drop down list select https.
4. Under WebGate Traffic Load Balancer modify the OAM Server Host and OAM Server Port, to point to the Load balancer HTTPS endpoint (e.g. <external-ip> and 443 respectively). In the OAM Server Protocol drop down list select https.
5. Click Apply.

Register a WebGate Agent for OHS

In this section you register the WebGate for your OHS with OAM. All the instructions below are to be run inside the VNC client session. Note: If you chose to use an on-premises OHS and WebGate and didn't install on the bastion host, run the commands in your Linux terminal and change the paths, directories and parameters for your installation accordingly.

1. Run the following command to deploy the WebGate instance:

   $ cd /home/opc/Oracle/Middleware/Oracle_Home/webgate/ohs/tools/deployWebGate
   $ ./deployWebGateInstance.sh -w /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/ -oh /home/opc/Oracle/Middleware/Oracle_Home

   The output will look similar to the following:

   Copying files from WebGate Oracle Home to WebGate Instancedir

2. Run the following command to update the OHS configuration files appropriately:

   $ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/opc/Oracle/Middleware/Oracle_Home/lib/
   $ cd /home/opc/Oracle/Middleware/Oracle_Home/webgate/ohs/tools/setup/InstallTools
   $ ./EditHttpConf -w /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1 -oh /home/opc/Oracle/Middleware/Oracle_Home

   The output will look similar to the following:

   The web server configuration file was successfully updated
   /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf has been backed up as /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/httpd.conf.ORI

3. In a browser access the OAM console (https://<external-ip>/oamconsole). Login with the weblogic username and password (weblogic/<password>). Note: If OHS and WebGate is on the bastion host then use the browser in the VNC session.
4. Navigate to Application Security , Quick Start Wizard, SSO Agent Registration. 
5. Select Agent Type: Webgate and click Next.
6. On the Configure WebGate page enter details as follows, and then click Finish:

Property Name	Value
Name	localhost_7777
Base URL	http://localhost:7777
Host Identifier	localhost_7777
Security	Open
Auto Create Policies	Selected
Public Resource List	Click Add and specify the Relative URI as /public/index.html


Note: If you have configured an on-premises WebGate then change the Base URL etc accordingly.

7. Click Download and save the file.
8. In a terminal window run the following command to copy the WebGate files to the appropriate directory:

   $ cd /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/config/fmwconfig/components/OHS/ohs1/webgate/config
   $ unzip /home/opc/Downloads/localhost_7777.zip

   The output will look similar to the following:

   Archive:  localhost_7777.zip
     inflating: wallet/cwallet.sso.lck  
     inflating: wallet/cwallet.sso      
     inflating: cwallet.sso.lck         
     inflating: cwallet.sso             
     inflating: ObAccessClient.xml      

9. Copy the loadbalancer certificate to the current directory and rename it to cacert.pem as follows:
   
   

   $ cp /home/opc/tls-nginx.crt cacert.pem						  

10. Restart the OHS server. Enter the Node Manager password when prompted:

    $ cd /home/opc/Oracle/Middleware/Oracle_Home/user_projects/domains/base_domain/bin
    $ ./stopComponent.sh ohs1
    $ ./startComponent.sh ohs1

Test the WebGate

In this section you test the WebGate configuration is working and you can access the OHS home page. For installs on the bastion host, access the browser from the VNC session.

1. In the browser access the OHS home page using the URL http://localhost:7777. You should be redirected to the OAM SSO login page (notice that the redirect URL now points to OAM server https://<external-ip>).
2. Log in as weblogic/<password>. The OHS Welcome page should be displayed.
   

Next Tutorial

Starting and Stopping OAM using kubectl

Want to Learn More?

Cloud Infrastructure MarketPlace
Oracle Access Management
Using VNC securely in Oracle Cloud Infrastructure

Feedback

To provide feedback on this tutorial, please contact Identity Management User Assistance.