Wednesday, 25 July 2012

Additional notes on OAM 11g


Pre requisite: OAM 11g basic install steps should have been completed.


Oracle Access Manager (OAM) : is Access Management Product acquired from Oblix in 2005.
# OAM 11g User Interface (UI) is based on Application Development Framework (ADF)


# Three type of Web Agents are supported in OAM 11g -
a) AccessGate/WebGate from 11g
b) AccessGate/WebGate from 10g (for backward compatibility) and
c) mod_osso for Oracle 10g Single Sign-On integration


You can set up either Oracle HTTP Server WebGate or mod_OSSO as an Agent for Oracle Access Manager (OAM).


Setting up an Agent involves the following steps:


1. Installing and Configuring the Agent (WebGate or mod_osso)
2. Registering the Agent as a Partner Application
3. Restarting the WebLogic Managed Servers


The Oracle HTTP Server WebGate intercepts HTTP requests from users for Web resources and forwards them to the Access Server for authentication and authorization.

Oracle HTTP Server 11g WebGate for Oracle Access Manager is not intended for use in Oracle Identity and Access Management
environments where you want to set up integration among Oracle Identity and Access Management components.



1.The following is the procedure for Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager.

A. Installing Oracle HTTP Server 11g (11.1.1.3.0, 11.1.1.4.0, or 11.1.1.5.0)-- Installation steps


Since we are on 11.1.1.5 for every component, We are now installing Oracle Http Server 11.1.1.5. You may get a question, if we can use the OHS that was installed along with OID. Thats not possible. Webgate installer needs OHS that was of webtier type(Web Tier installer is a tool).

This is a restriction imposed by the webgate installer.
We should first install Oracle Http Server 11.1.1.2 and can patch it to 11.1.1.5. Which in turn means we should use Oracle Web Tier installer 11.1.1.2 and then go to 11.1.1.5 more information on Oracle Web Tier installer tool is below

FMW 11g Web Tier Utilities encompasses products such as
* Oracle HTTP Server
* Oracle Web Cache


Oracle Process Manager and Notification Server (OPMN) is also installed by default. Together, these products are responsible for managing incoming HTTP requests, caching web messages, and sending XML and HTML back to the client.


The Oracle HTTP Server 11g is based on an Apache 2.2 version.
Once it is installed with Oracle Fusion Middleware, it is supported and maintained as the Oracle HTTP Server. For this reason, it will differ from its originating Apache version, and should not be compared for all situations.

Similar to OID, Oracle Web Tier can be installed with out a domain and can be administered from command line. But to use the ability of OEM FMW to administrate Oracle Web Tier, the web logic domain with which you are going to associate web tier components, should have been configured using both the Enterprise Manager and Java Required Files (JRF) domain templates. It is not possible to create this domain during the installation of Oracle Web Tier,
and so the domain must already exist prior to installation and configuration. Alternatively, you can install Oracle Web Tier without configuring the components, then create a WebLogic Server domain, then run the configuration tool to associate your Oracle Web Tier components with that domain.

Below is the procedure to install OHS using web tier installer, associating OHS with a existing weblogic domain.



-->Ensure that the weblogic admin server is up and running.

-->execute setup.exe inside disk1 of webtier 11.1.1.2 installation package(V18762-01.zip).

-->choose the install and configure option and follow the screens.

-->first installation happens, then followed by configuration.

-->Once you installer, similar patch the installation using 11.1.1.5 webtier patch set. (V26010-01.zip)


Once the above process completes, inside MW_HOME a folder Oracle_WT1 gets created.
Run the opmnctl status command


C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin>opmnctl status
Processes in Instance: instance1
---------------------------------+--------------------+---------+---------
ias-component | process-type | pid | status
---------------------------------+--------------------+---------+---------
webcache1 | WebCache-admin | 3804 | Alive
webcache1 | WebCache | 3372 | Alive
ohs1 | OHS | 1884 | Alive
This information shows the components configured for this installation. The status
"Alive" means the component is up and running.
This opmnctl runs as a windows service. This service is similar but different from the service which
monitors oid and ovd.
C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin>opmnctl status -l
Processes in Instance: instance1
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
ias-component | process-type | pid | status | uid | memused | uptime | ports
---------------------------------+--------------------+---------+----------+------------+----------+-----------+------
webcache1 | WebCache-admin | 3804 | Alive | 1675299287 | 17372 | 23:57:34 | http_admin:7786
webcache1 | WebCache | 3372 | Alive | 1675299286 | 34268 | 23:57:34 | http_stat:7787,http_invalidation:7788,https_listen:7789,http_listen:7785
ohs1 | OHS | 1884 | Alive | 1675299285 | 20212 | 23:58:15 | https:9999,https:4443,http:7777

Use the port numbers in this display to point your browser to the appropriate pages.

Use the format:http://system_name:port_number

Below are all the urls that should be tested.

Oracle HTTP Server http://localhost:7777
Oracle HTTP Server SSL https://localhost:4443
Oracle Web Cache http://localhost:7785
Oracle Web Cache SSL https://localhost:7789

Oracle Web Cache Administration http://localhost:7786
Oracle Web Cache Statistics http://localhost:7787

username for above two urls is ias_admin and password is what you have specified during installation process.


Note:Oracle HTTP Server comes configured with two listen ports: a non-SSL port (http) and an SSL port (https). The default, non-SSL port is 7777. If port 7777 is occupied, the next available port number, within a range of 7777-7877, is assigned. The default SSL port is 4443. Similarly, if port 4443 is occupied, the next available port number, within a range of 4443-4543, is assigned.
An additional SSL port (9999) is configured to run out-of-the-box in the admin.conf file.  It is called Proxy MBean or Admin port and is used internally by Oracle HTTP Server to communicate with Fusion Middleware Control.

Note: WebCache ‘invalidation port’ 7788 expects the request to send a XML message indicating the cache contents that must be invalidated.That’s the reason any request from a browser will fail.You can find more information in the product documentation



Now here is the scenario.


During the OID,OVD installation you will get a OHS along with OID and OVD.that means, if you start the opmnctl.bat at C:\Oracle\Middleware\asinst_1\bin
you can get the OID, OVD and OHS up and running.


Which implies there are two OHS in the middleware home, one that was installed along with OID (being monitored by the opmn service located at C:\Oracle\Middleware\asinst_1\bin) and the other that was installed along with Web Tier (being monitored by the OPMN Service located at C:\Oracle\Middleware\Oracle_WT1\instances\instance1\bin)

The reason we installed a separate OHS as a part of Web Tier, even if we have a OHS that we got during the OID installation is because, for the Webgate installation as a part of AM that we are actually discussing,The OHS should be in a middleware home 
containing an Oracle Home for Oracle Web tier and the directory structure is important.

As discussed earlier, in OID posts, you cannot skip the installation of OHS during OID installation, but can always skip its configuration. OHS might be packaged along with OID installer for OIF. But this is an assumption.

hmm thats okay.. finally we got two opmn processes and two OHS.
Note that these two OHS were installed using the same ports.
Even these two OPMN services are installed using the same ports.
So these two cant be started at a same time, if the situation demands...So inorder to run these two services at the same time, we should change the OPMN ports and also the OHS ports for one of the servers.


For detailed procedure of how to change the opmn ports, refer to one of my posts regarding the same.



Now you have to change the ports for one of the OHS.
I choose to change the ports for the OHS that was installed along with OID installation.


For detailed procedure of how to change the OHS ports, refer to one of my posts regarding the same.



After making the necessary changes to one of the OPMN services and OHS, both OHS and OPMN services can be started simultaneously.







B. Microsoft Visual C++ libraries installation


Ensure you follow the following pre requistes if you are on Win 2003/2008 If you are using Windows 2003 or Windows 2008 64-bit operating systems, you must install Microsoft Visual C++ 2005 libraries on the machine hosting the Oracle HTTP Server 11g Webgate for Oracle Access Manager.


These libraries are included in the Microsoft Visual C++ 2005 SP1 Redistributable Package (x64), which can be downloaded from the following website:


http://www.microsoft.com/DownLoads/details.aspx?familyid=EB4EBE2
D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en


In addition, install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update, which can be downloaded from the following website:


http://www.microsoft.com/en-in/download/details.aspx?id=26347



C.Run the Oracle HTTP Server Webgate Installer to install Oracle HTTP Server 11g Webgate for Oracle Access Manager D:\Softwares\Oracle Access Manager WebGates (11.1.1.5.0)\Disk1\install\win64\setup.exe

Provide the java path, middleware path, and proceed as directed by the installer.

Note: this java path is different from the java path of your computer, this is the path of the java created When you install Oracle HTTP Server. The jdk directory is created under the <WebTier_Home> directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer.


D. Post install steps::

-->Go to

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate
[ <Webgate_Home>\webgate\ohs\tools\deployWebGate]

On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location:

deployWebgateInstance.bat -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1

[deployWebgateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>]

Note:<Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate.

The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server.

Sample run:

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\Administrator>cd C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate>deployWebgateInstance.bat -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1

Copying files
C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\config\oblog_config_wg.xml
1 File(s) copied
C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cacert.pem
1 File(s) copied
C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\openssl\simpleCA\cakey.pem
1 File(s) copied
C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\deployWebGate>

-->Make following modifications to 'PATH' variable

<Webgate_Installation_Directory>\webgate\ohs\lib -- "C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\lib"
  and
<Oracle_Home_for_Oracle_HTTP_Server>\bin  --"C:\Oracle\Middleware\Oracle_WT1\bin"

to your PATH variable

-->Go to <Webgate_Home>\webgate\ohs\tools\EditHttpConf in command line

(C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>)

and execute the following command

to copy the "apache_webgate.template" from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf

EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]

The -oh <WebGate_Oracle_Home> and -o <output_file> parameters are optional.

Webgate_Instance_Directory == C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1
Webgate_Oracle_Home ==  C:\Oracle\Middleware\Oracle_OAMWebGate1

The <output_file> is the name of the temporary output file used by the tool, say.. Edithttpconf.log

so the command is 

EditHttpConf.exe -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1 -o Edithttpconf.log

sample run::


C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>EditHttpConf.exe -w C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1 -oh C:\Oracle\Middleware\Oracle_OAMWebGate1 -o Edithttpconf.log
The web server configuration file was successfully updated
C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/httpd.conf has been backed up as C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/httpd.conf.ORIG

C:\Oracle\Middleware\Oracle_OAMWebGate1\webgate\ohs\tools\EditHttpConf>

note: This is the additional line added to httpd.conf
include  "C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1/webgate.conf" 

E.  Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager
--> go to C:\Program Files\Oracle\Inventory\logs
and verify the installDATE-TIME_STAMP.out log file to verify the installation.




Before you can get started with the new Oracle HTTP Server 11g Webgate agent for
Oracle Access Manager, you have to complete a few steps.

 they are  
 @Register the New Webgate Agent
 @Copy Generated Files and Artifacts to the Webgate Instance Location
 @Restart the Oracle HTTP Server Instance


2. Registering the Agent as a Partner Application


A.Register the New Webgate Agent



You can register the new Webgate agent with Oracle Access Manager by using the Oracle Access Manager Administration Console.

Alternatively, you can use the RREG command-line tool to register a new Webgate agent. The tool can be run in two modes: In-Band mode, and Out-Of-Band mode.

I am using In-Band mode.


Setting Up the RREG Tool



go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\client and copy RREG.tar.gz to some folder on your personal space and extract it there. a folder 'rreg' will be created.
Inside that rreg folder, go to input directory, and copy OAM11GRequest_short.xml file


Now go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\input and paste the above file there.


Set the following environment variable in oamreg.bat script.
(available under C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin)
OAM_REG_HOME = C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg
JAVA_HOME="C:\Program Files\Java\jdk1.6.0_25"





Updating the OAM11gRequest_short.xml File




go to C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\client\rreg\input


Modify the following required parameters in the OAM11GRequest.xml file or in the OAM11GRequest_short.xml file:


I am using OAM11GRequest_short.xml


<serverAddress>
Specify the host and the port of the Administration Server.
<serverAddress>http://localhost:7001</serverAddress>


<agentName>
Specify any custom name for the agent.
<agentName>RREG_OAM11G</agentName>


<agentBaseUrl>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<agentBaseUrl>http://localhost:7777</agentBaseUrl>




<preferredHost>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<preferredHost>http://localhost:7777</preferredHost>


<security>
Specify the security mode, such as open, based on the Webgate installed.
<security>open</security>


Available modes are 'open' , 'cert' and 'simple'


<primaryServerList>
Specify the host and the port of Managed Server for Oracle Access Manager proxy, under a <Server> container element.
<Server>
<primaryServerList>http://localhost:14100</primaryServerList>
</Server>


After modifying the file, save the file and close.


Running the command




Ensure Admin server and managed server for oam are up and running.
<RREG_Home>\bin\oamreg.bat inband input\OAM11GRequest_short.xml


==>
C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin\oamreg.bat inband input\OAM11GRequest_short.xml


Note: Outof Band mode is used in cases where you are an end user and dont have access to the server. For details on how to complete registration, in Outof Band mode, refer to product docs.


sample run:


C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin>oamreg.bat inband input\OAM11GRequest_short.xml
OAM_REG_HOME=C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg
CLASSPATH=C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\rreg.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\RequestResponse.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\commons-codec-1.3.jar;C:\Oracle\Middleware\Oracle
_IDM1\oam\server\rreg\lib\commons-httpclient-3.1.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\commons-logging-1.1.1.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ojmisc.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\se
rver\rreg\lib\jps-internal.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-common.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\identitystore.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\identityutils.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ldapjc
lnt11.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\dms.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\fmw_audit.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\ojdl.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\oraclepki.jar;C:\Oracle\Middleware\Oracle_IDM1\
oam\server\rreg\lib\osdt_cert.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_core.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_jce.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_saml.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\osdt_xmlsec.j
ar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\xmlparserv2.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\jps-unsupported-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\nap-api.jar;C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\lib\utilities.jar;
------------------------------------------------
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are:
Mode: inband
Filename: C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\input\OAM11GRequest_short.xml
Enter admin username:weblogic
Username: weblogic
Enter admin password:
Do you want to enter a Webgate password?(y/n):
y
Enter webgate password:
Enter webgate password again:
Password accepted. Proceeding to register..
Aug 1, 2012 5:20:51 PM oracle.security.am.engines.rreg.client.handlers.request.OAM11GRequestHandler getWebgatePassword
INFO: Passwords matched and accepted.
Do you want to import an URIs file?(y/n):
n


----------------------------------------
Request summary:
OAM11G Agent Name:RREG_OAM11G
Base URL:http://localhost:7777
URL String:RREG_HostId11G
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://localhost:7001
----------------------------------------


Inband registration process completed successfully! Output artifacts are created in the output folder.
C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\bin>


B.Copy Generated Files and Artifacts to the Webgate Instance Location
Regardless of the method or mode you use to register the new Webgate agent, the following files and artifacts are generated in the <RREG_Home>/output/<Agent
ID> directory:
¦ cwallet.sso
¦ ObAccessClient.xml

Our method is inbound and mode is open.


In OPEN mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:
ie.,

from

C:\Oracle\Middleware\Oracle_IDM1\oam\server\rreg\output\RREG_OAM11G

to

C:\Oracle\Middleware\Oracle_WT1\instances\instance1\config\OHS\ohs1\webgate\config


¦ ObAccessClient.xml
¦ cwallet.sso




3. Restarting the WebLogic Managed Servers


A.Restart the Oracle Http Server using opmn
B.Stop oam_server1
C.Stop wls admin server
D.start wls admin server
E.start oam_server1




Verification of OAM functionality and web agent's registration


A. Open a web browser and hit the non ssl http url of OHS ie.,
http://localhost:7777


B.You will be redirected to the OAM 11g SSO screen


C. Enter the  weblogic user name and password and proceed


D. You will be redirected now to the OHS page


Which means, you reached the OHS page, through OAM successfully!!










Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)