Webgate

Webgate is typically deployed on web server to protect the applications being served by the particular web server. Webgate supports industry standard web servers like Apache, Oracle, IBM (most of them are based on Apache). Before installing and configuring Webgate, please ensure that you have installed and configured OAM and a supported web server (steps for Oracle Http Server available)

Downloads

ComponentLocation

Oracle Access Manager WebGates and Agents


http://www.oracle.com/technetwork/middleware/id-mgmt/downloads/oid-11gr2-2104316.html
 


Please use the Oracle Certification matrix before deciding upon the appropriate product version. The appropriate certification matrix are available at 
  1. System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.0.0) ( xls)
  2. System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.1.0) ( xls)
  3. System Requirements and Supported Platforms for Oracle Identity and Access Management 11g Release 2 (11.1.2.2.0) ( xls)
All the Fusion Middleware Certification matrix are maintained at http://www.oracle.com/technetwork/middleware/ias/downloads/fusion-certification-100350.html 

In case you have a valid Oracle Support in place, you should download the products from the edelivery (https://edelivery.oracle.com) website

Installation

The webgate is typically installed on a system that has an existing webserver. The installation is typically performed using the OHS server's user id and middleware inventory/home.

  1. Start the installer 

    cd /home/demo/downloads/installs/
    mkdir webgate
    cd webgate
    unzip ../OAM_Webgates_V33639-01.zip
    su - ohs 
    cd /home/infrasupport/downloads/installs/webgate/Disk1    
    ./runInstaller -jreLoc /opt/java/ -invPtrLoc /opt/ohs/inventory/oraInst.loc  


  2. Execute Installation with following values 

    NameValue
    Oracle Middleware Home/opt/ohs/Middleware
    Oracle Home DirectoryOracle_OAMWebGate1


Configuration

The webgate is typically used to protect an existing application. The process defined here configures the OAM and corresponding Webgate on OHS server to protect OAM server and OAM Console. It is also configured to exclude the Weblogic console from OAM protection. Based on other applications and IAM suite components deployed the corresponding access policy configuration may need to be changed.

In this regards

  1. Ensure that Oracle HTTP Server 11.1.2.2.0 WebGate is downloaded and installed (e.g. /opt/idm/web/Middleware/Oracle_OAMWebGate1)

  2. Run the following commands 

    cd /opt/idm/web/Middleware/Oracle_OAMWebGate1/webgate/ohs/tools/deployWebGate/
    ./deployWebGateInstance.sh -oh /opt/idm/web/Middleware/Oracle_OAMWebGate1/ -w /opt/idm/web/server/oam/config/OHS/oamWeb/ -ws ohs
    >>Copying files from WebGate Oracle Home to WebGate Instancedir
    export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/idm/web/Middleware/Oracle_WT1/lib
    cd /opt/idm/web/Middleware/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools
    ./EditHttpConf -w /opt/idm/web/server/oam/config/OHS/oamWeb/ -oh /opt/idm/web/Middleware/Oracle_OAMWebGate1/
    >>The web server configuration file was successfully updated
    >>/opt/idm/web/server/oam/config/OHS/oamWeb/httpd.conf has been backed up as /opt/idm/web/server/oam/config/OHS/oamWeb/httpd.conf.ORIG
    


  3. Setup the RREG utility 

    cd /opt/idm/fmw
    mkdir oam-rreg
    cd oam-rreg
    gunzip /opt/idm/fmw/Middleware/Oracle_IDM1/oam/server/rreg/client/RREG.tar.gz
    tar -xvf ../Middleware/Oracle_IDM1/oam/server/rreg/client/RREG.tar


  4. Use the existing Request template file to create the configuration file 

    cp rreg/input/OAM11GRequest_short.xml oam-serverRequest.xml


  5. Configure the new file as follows 

    <OAM11GRegRequest>
        <serverAddress>http://localhost:7001</serverAddress>
        <hostIdentifier>OAMonOHS_host</hostIdentifier>
        <agentName>OAMonOHS_agent</agentName>
        <agentBaseUrl>http://192.168.56.11</agentBaseUrl>
        <applicationDomain>OAMonOHS_AppDomain</applicationDomain>
        <security>open</security>
        <protectedResourcesList>
            <resource>/**</resource>
        </protectedResourcesList>
        <publicResourcesList>
            <resource>/public/index.html</resource>
            <resource>/oam/**</resource>
        </publicResourcesList>
        <excludedResourcesList>
            <resource>/console/**</resource>
        </excludedResourcesList>
    </OAM11GRegRequest>


    In case the agentBaseURL has a / at the end, the corresponding host identifier may be created with the / and that would result in infinite redirection for any access due to the public resource /oam being treated as private resource.


  6. Register the configuration 

    > export OAM_REG_HOME=/opt/idm/fmw/oam-rreg/rreg/
    > cp oam-serverRequest.xml $OAM_REG_HOME/input
    > rreg/bin/oamreg.sh inband input/oam-serverRequest.xml
    JAVA_HOME=/opt/idm/java
    CLASSPATH=/opt/idm/fmw/oam-rreg/rreg//lib/rreg.jar:/opt/idm/fmw/oam-rreg/rreg//lib:/opt/idm/fmw/oam-rreg/rreg//lib/RequestResponse.jar:/opt/idm/fmw/oam-rreg/rreg//lib/commons-codec-1.3.jar:/opt/idm/fmw/oam-rreg/rreg//lib/commons-httpclient-3.1.jar:/opt/idm/fmw/oam-rreg/rreg//lib/commons-logging-1.1.1.jar:/opt/idm/fmw/oam-rreg/rreg//lib/ojmisc.jar:/opt/idm/fmw/oam-rreg/rreg//lib/jps-api.jar:/opt/idm/fmw/oam-rreg/rreg//lib/jps-internal.jar:/opt/idm/fmw/oam-rreg/rreg//lib/jps-common.jar:/opt/idm/fmw/oam-rreg/rreg//lib/identitystore.jar:/opt/idm/fmw/oam-rreg/rreg//lib/identityutils.jar:/opt/idm/fmw/oam-rreg/rreg//lib/ldapjclnt11.jar:/opt/idm/fmw/oam-rreg/rreg//lib/dms.jar:/opt/idm/fmw/oam-rreg/rreg//lib/fmw_audit.jar:/opt/idm/fmw/oam-rreg/rreg//lib/ojdl.jar:/opt/idm/fmw/oam-rreg/rreg//lib/oraclepki.jar:/opt/idm/fmw/oam-rreg/rreg//lib/osdt_cert.jar:/opt/idm/fmw/oam-rreg/rreg//lib/osdt_core.jar:/opt/idm/fmw/oam-rreg/rreg//lib/osdt_jce.jar:/opt/idm/fmw/oam-rreg/rreg//lib/osdt_saml.jar:/opt/idm/fmw/oam-rreg/rreg//lib/osdt_xmlsec.jar:/opt/idm/fmw/oam-rreg/rreg//lib/xmlparserv2.jar:/opt/idm/fmw/oam-rreg/rreg//lib/jps-unsupported-api.jar:/opt/idm/fmw/oam-rreg/rreg//lib/nap-api.jar:/opt/idm/fmw/oam-rreg/rreg//lib/utilities.jar:/opt/idm/fmw/oam-rreg/rreg//lib/jps-ee.jar:.
    OAM_REG_HOME=/opt/idm/fmw/oam-rreg/rreg/
    ------------------------------------------------
    Welcome to OAM Remote Registration Tool!
    Parameters passed to the registration tool are: 
    Mode: inband
    Filename: /opt/idm/fmw/oam-rreg/rreg//input/oam-serverRequest.xml
    Enter admin username:                                                        <weblogic>
    Username: weblogic
    Enter admin password:          
    Do you want to enter a Webgate password?(y/n):
    y
    Enter webgate password:          
    Enter webgate password again:          
    Password accepted. Proceeding to register..
    Feb 16, 2014 9:59:15 AM oracle.security.am.engines.rreg.client.util.RegClientUtil getWebgatePassword
    INFO: Passwords matched and accepted.
    Do you want to import an URIs file?(y/n):
    n
    ----------------------------------------
    Request summary:
    OAM11G Agent Name:OAMonOHS_agent
    Base URL:https://iam.demo.aps/
    URL String:OAMonOHS_host
    Registering in Mode:inband
    Your registration request is being sent to the Admin server at: http://iam.demo.aps:7101/
    ----------------------------------------
    Feb 16, 2014 9:59:59 AM oracle.security.jps.util.JpsUtil disableAudit
    INFO: JpsUtil: isAuditDisabled set to true
    Inband registration process completed successfully! Output artifacts are created in the output folder.


  7. Copy the files to webgate config

    cd /opt/idm/fmw/oam-rreg
    cp rreg/output/OAMonOHS_agent/* /opt/idm/web/server/oam/config/OHS/oamWeb/webgate/config/


  8. Restart the OHS server so that it can use the webgate configuration

  9. In case of any error due to webgate setup, the webgate can be disabled on OHS by adding # in front of following line in /opt/idm/web/server/oam/config/OHS/oamWeb/httpd.conf


    #include
      "/opt/web/oiam/config/OHS/oiam/webgate.conf"


  10. On successful setup, a new application would have been defined in OAM Console and the following policy would be in effect.
     

    Protection LevelResource
    Public/oam/**
    Protected/oamconsole/**
    Excluded/console/**