This chapter describes how to install and configure Oracle HTTP Server 11g Webgate for Oracle Access Manager.
It discusses the following topics:
Preparing to Install Oracle HTTP Server 11g Webgate for Oracle Access Manager
Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager
Verifying the Oracle HTTP Server 11g Webgate for Oracle Access Manager
Getting Started with a New Oracle HTTP Server 11g Webgate Agent for Oracle Access Manager
Installing Oracle HTTP Server 11g Webgate for Oracle Access Manager involves the following steps:
Installing Oracle HTTP Server 11g (11.1.1.5.0 or 11.1.1.6.0)
On Linux and Solaris operating systems: Installing third-party GCC libraries.
Note:
This step is required only if you are installing Oracle HTTP Server 11g 11.1.1.5.0
Running the Oracle HTTP Server Webgate Installer to install Oracle HTTP Server 11g Webgate for Oracle Access Manager
Verifying the installation of Oracle HTTP Server 11g Webgate for Oracle Access Manager
Completing post-installation configuration steps
Registering the new Webgate agent
Table 12-1 lists the Installers and tools used to install and configure Oracle HTTP Server 11g Webgate for Oracle Access Manager at different stages of the installation and configuration process.
Table 12-1 Installation and Configuration Tools
| Task | Tool | 
|---|---|
| Install Oracle HTTP Server (11.1.1.5.0 or 11.1.1.6.0) | Oracle Web Tier Installer based on the version you want to use | 
| Install Oracle HTTP Server Webgate 11g | Oracle HTTP Server Webgate 11g Installer | 
| Register Webgate Agent | RREG Tool, or the Oracle Access Manager Administration Console | 
| Start or Stop Process Instances | OPMN Command-Line Tool | 
Oracle HTTP Server 11g Webgate for Oracle Access Manager requires Oracle HTTP Server 11g (11.1.1.5.0 or 11.1.1.6.0), which is included in the Oracle Web Tier 11g Installer. For information about installing Oracle HTTP Server, see the Oracle Fusion Middleware Installation Guide for Oracle Web Tier corresponding to the Oracle HTTP Server version you are using.
In addition, if you are using the Linux or Solaris operating system, you must install third-party GCC libraries on your machine before installing Oracle HTTP Server 11g Webgate for Oracle Access Manager. This step is required only if you are installing Oracle HTTP Server 11g 11.1.1.5.0
This section discusses the following topics:
Review Oracle HTTP Server 11g Webgate certification information, which is available in the Oracle Fusion Middleware Supported System Configurations document.
The Oracle Fusion Middleware Supported System Configurations document provides certification information for Oracle Fusion Middleware, including supported installation types, platforms, operating systems, databases, JDKs, and third-party products related to Oracle Identity and Access Management 11g Release 2 (11.1.2).
For information about installing Oracle Access Manager, see Installing and Configuring Oracle Identity and Access Management (11.1.2). For information about configuring Oracle Access Manager in a new or existing WebLogic administration domain, see Configuring Oracle Access Management.
In addition, see the "Securing Communication Between OAM 11g Servers and WebGates" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Management for information about configuring Oracle Access Manager in Open, Simple, or Cert mode.
Oracle HTTP Server 11g Webgate for Oracle Access Manager is supported on Oracle HTTP Server 11.1.1.5.0, and Oracle HTTP Server 11.1.1.6.0. You can choose to install any of these versions.
Note:
If you are installing Oracle HTTP Server 11.1.1.5.0, you must first install Oracle HTTP Server 11.1.1.2.0 software and patch it to Oracle HTTP Server 11.1.1.5.0 using the Patch Set Installer.
If you do not have Oracle HTTP Server 11.1.1.2.0 installed, you can download the Oracle Web Tier 11g (11.1.1.2.0) Installer from the Oracle Technology Network (OTN):
http://www.oracle.com/technology/software/products/middleware/htdocs/fmw_11_download.html
Alternatively, you can download the latest Oracle Fusion Middleware 11g software from the following website:
http://edelivery.oracle.com/
Note:
For information about installing and configuring Oracle HTTP Server 11g software, see the "Installing Oracle Web Tier" topic in the Oracle Fusion Middleware Installation Guide for Oracle Web Tier.
For information about patching Oracle HTTP Server 11.1.1.2.0 to 11.1.1.5.0 using the corresponding Patch Set Installer, see the "Applying the Latest Oracle Fusion Middleware Patch Set" topic in the Oracle Fusion Middleware Patching Guide.
After you install and configure Oracle HTTP Server, a working instance of Oracle HTTP Server is configured in an Instance Home.
If you are installing Oracle HTTP Server 11.1.1.5.0 Webgate for Oracle Access Manager on a Linux or Solaris operating system, you must download and install third-party GCC libraries on your machine. See Table 12-2 for more information.
You can download the appropriate GCC library from the following third-party website:
Note:
You must download sources from this website and compile them to obtain the GCC libraries.
For some operating systems, the required libraries may be available as installable packages from the support websites of operating system vendors.
Table 12-2 Versions of GCC Third-Party Libraries for Linux and Solaris
| Operating System | Architecture | GCC Libraries | Required Library Version | 
|---|---|---|---|
| Linux 32-bit | x86 | libgcc_s.so.1 libstdc++.so.5 | 3.3.2 | 
| Linux 64-bit | x64 | libgcc_s.so.1 libstdc++.so.6 | 3.4.6 | 
| Solaris 64-bit | SPARC | libgcc_s.so.1 libstdc++.so.5 | 3.3.2 | 
Perform the following checks to verify the version of GCC libraries:
On the Linux32 on i386 platform:
Run the following commands and ensure that their output is always greater than 0:
strings -a libgcc_s.so.1 | grep -c "GCC_3.0" strings -a libgcc_s.so.1 | grep -v "GCC_3.3.1" | grep -c "GCC_3.3" file libgcc_s.so.1 | grep "32-bit" | grep -c "80386" file libstdc++.so.5 | grep "32-bit" | grep -c "80386"
On the Linux 64 on x86-64 platform:
Run the following commands and ensure that their output is always greater than 0:
strings -a libgcc_s.so.1 | grep -c "GCC_3.0" strings -a libgcc_s.so.1 | grep -v "GCC_3.3.1" | grep -c "GCC_3.3" strings -a libgcc_s.so.1 | grep -c "GCC_4.2.0" file libgcc_s.so.1 | grep "64-bit" | grep -c "x86-64" file -L libstdc++.so.6 | grep "64-bit" | grep -c "x86-64"
On the Solaris 64 on SPARC platform:
Run the following commands and ensure that their output is always greater than 0:
strings -a libgcc_s.so.1 | grep -c "GCC_3.0" strings -a libgcc_s.so.1 | grep -v "GCC_3.3.1" | grep -c "GCC_3.3" file libgcc_s.so.1 | grep "64-bit" | grep -c "SPARC" file libstdc++.so.5 | grep "64-bit" | grep -c "SPARC"
If you are using Windows 2003 or Windows 2008 64-bit operating systems, you must install Microsoft Visual C++ 2005 libraries on the machine hosting the Oracle HTTP Server 11g Webgate for Oracle Access Manager.
These libraries are included in the Microsoft Visual C++ 2005 SP1 Redistributable Package (x64), which can be downloaded from the following website:
In addition, install the Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package MFC Security Update, which can be downloaded from the following website:
This section discusses the following topics:
You can download the Oracle HTTP Server 11g Webgate for Oracle Access Manager Installer from the Oracle Technology Network (OTN):
http://www.oracle.com/technetwork/middleware/downloads/oid-11g-161194.html
Alternatively, you can download the latest Oracle Fusion Middleware 11g software from the following website:
http://edelivery.oracle.com/
Start the Installer by executing one of the following commands:
UNIX: <full path to the runInstaller directory>./runInstaller -jreLoc <WebTier_Home>/jdk
Windows: <full path to the setup.exe directory>\ setup.exe -jreLoc <WebTier_Home>\jdk
Note:
When you install Oracle HTTP Server, the jdk directory is created under the <WebTier_Home> directory. You must enter the absolute path of the JRE folder located in this JDK when launching the installer. For example, on Windows, if the JDK is located in D:\oracle\Oracle_WT1\jdk, then launch the installer from the command prompt as follows:
D:\setup.exe -jreLoc D:\oracle\Oracle_WT1\jdk
After the Installer starts, the Welcome screen appears. Continue by referring to the section Installation Flow and Procedure for installing Oracle HTTP Server 11g Webgate for Oracle Access Manager.
Follow the instructions in Table 12-3 to install Oracle HTTP Server 11g Webgate for Oracle Access Manager.
If you need additional help with any of the installation screens, click Help to access the online help.
| No. | Screen | Description and Action Required | 
|---|---|---|
| 1 | Welcome Screen | Click Next to continue. | 
| 2 | Prerequisite Checks Screen | Click Next to continue. | 
| 3 | Specify Installation Location Screen | Specify the Middleware Home and Oracle Home locations. Note that the Middleware Home should contain an Oracle Home for Oracle Web Tier. Oracle WebLogic Server is not a prerequisite for installing Oracle HTTP Server Webgate. However, Oracle HTTP Server, which is a component of Oracle Web Tier, requires only the directory structure for the Middleware home. For more information about these directories, see "Understanding Oracle Fusion Middleware Concepts and Directory Structure" in Oracle Fusion Middleware Installation Planning Guide. Click Next to continue. | 
| 5 | Installation Summary Screen | Verify the information on this screen. Click Install to begin the installation. | 
| 6 | Installation Progress Screen | If you are installing on a UNIX system, you may be asked to run the  Click Next to continue. | 
| 7 | Installation Complete Screen | Click Finish to dismiss the installer. | 
You must complete the following steps after installing Oracle HTTP Server 11g Webgate for Oracle Access Manager:
Move to the following directory under your Oracle Home for Webgate:
On UNIX operating systems:
<Webgate_Home>/webgate/ohs/tools/deployWebGate
On Windows operating systems:
<Webgate_Home>\webgate\ohs\tools\deployWebGate
On the command line, run the following command to copy the required bits of agent from the Webgate_Home directory to the Webgate Instance location:
On UNIX operating systems:
./deployWebGateInstance.sh -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>
On Windows operating systems:
deployWebGateInstance.bat -w <Webgate_Instance_Directory> -oh <Webgate_Oracle_Home>
Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate and created as the Oracle Home for Webgate, as in the following example:
<MW_HOME>/Oracle_OAMWebGate1
The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server, as in the following example:
<MW_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1
Note that an Instance Home for Oracle HTTP Server is created after you configure Oracle HTTP Server. This configuration is performed after installing Oracle HTTP Server 11.1.1.5.0 or Oracle HTTP Server 11.1.1.6.0.
Run the following command to ensure that the LD_LIBRARY_PATH variable contains <Oracle_Home_for_Oracle_HTTP_Server>/lib:<Webgate_Installation_Directory>/webgate/ohs/lib
On UNIX (depending on the shell):
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Oracle_Home_for_Oracle_HTTP_Server>/lib:<Webgate_Installation_Directory>/webgate/ohs/lib
On Windows:
Set the <Webgate_Installation_Directory>\webgate\ohs\lib location and the <Oracle_Home_for_Oracle_HTTP_Server>\lib location in the PATH environment variable. Add a semicolon (;) followed by this path at the end of the entry for the PATH environment variable.
On UNIX operating systems, move to:
<Webgate_Home>/webgate/ohs/tools/setup/InstallTools
On Windows operating systems, move to:
<Webgate_Home>\webgate\ohs\tools\EditHttpConf
On the command line, run the following command to copy the apache_webgate.template from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf:
On UNIX operating systems:
./EditHttpConf -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]
On Windows operating systems:
EditHttpConf.exe -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]
Note:
The -oh <WebGate_Oracle_Home> and -o <output_file> parameters are optional.
Where <Webgate_Oracle_Home> is the directory where you have installed Oracle HTTP Server Webgate for Oracle Access Manager and created as the Oracle Home for Webgate, as in the following example:
<MW_HOME>/Oracle_OAMWebGate1
The <Webgate_Instance_Directory> is the location of Webgate Instance Home, which is same as the Instance Home of Oracle HTTP Server, as in the following example:
<MW_HOME>/Oracle_WT1/instances/instance1/config/OHS/ohs1
The <output_file> is the name of the temporary output file used by the tool, as in the following example:
webgate.conf
Note that an Instance Home for Oracle HTTP Server is created after you configure Oracle HTTP Server. This configuration is performed after installing Oracle HTTP Server 11.1.1.5.0 or Oracle HTTP Server 11.1.1.6.0.
After completing the installation of Oracle HTTP Server 11g Webgate for Oracle Access Manager, including the post-installation steps, you can examine the oraInst.loc log file to verify the installation. The oraInst.loc file specifies the location of the Oracle Inventory directory where the Installer creates the inventory of Oracle products installed on the system.
On UNIX, if you do not know the location of your Oracle Inventory directory, you can find it in the <Webgate_Home>/oraInst.loc file.
On Windows, the default location for the inventory directory is C:\Program Files\Oracle\Inventory.
Before you can get started with the new Oracle HTTP Server 11g Webgate agent for Oracle Access Manager, you must complete the following tasks:
You can register the new Webgate agent with Oracle Access Manager by using the Oracle Access Manager Administration Console. For more information, see the "Registering Partners (Agents and Applications) by Using the Console" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
Alternatively, you can use the RREG command-line tool to register a new Webgate agent. The tool can be run in two modes: In-Band mode, and Out-Of-Band mode. For more information, see the "Registering Agents and Applications Remotely" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager.
After installing and configuring Oracle Access Manager, navigate to the following location:
On UNIX operating systems:
<IAM_Home>/oam/server/rreg/client
On Windows operating systems:
<IAM_Home>\oam\server\rreg\client
On the command line, untar the RREG.tar.gz file using gunzip, as in the following example:
gunzip RREG.tar.gz
tar -xvf RREG.tar
The tool used to register the agent is located in the following location:
On UNIX operating systems:
<RREG_Home>/bin/oamreg.sh
On Windows operating systems:
<RREG_Home>\bin\oamreg.bat
Note:
<RREG_Home> is the directory where you extracted the contents of RREG.tar.gz/rreg to.
Set the following environment variables in the oamreg.sh script or in the oamreg.bat script:
OAM_REG_HOME - Set this variable to the absolute path to the directory where you extracted the contents of RREG.tar/rreg.
JAVA_HOME - Set this variable to the absolute path to the directory where Java/JDK is installed on your machine.
Updating the OAM11gRequest.xml File
You must update the agent parameters, such as agentName, in the OAM11GRequest.xml file located in the <RREG_Home>\input directory on the Windows operating system. On the UNIX operating system, the file is located in the <RREG_Home>/input directory.
Note:
The OAM11GRequest.xml file or the short version OAM11GRequest_short.xml is used as a template. You can copy this template file and use.
Modify the following required parameters in the OAM11GRequest.xml file or in the OAM11GRequest_short.xml file:
<serverAddress>
Specify the host and the port of the Administration Server.
<agentName>
Specify any custom name for the agent.
<agentBaseUrl>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<preferredHost>
Specify the host and the port of the machine where Oracle HTTP Server 11g Webgate is installed.
<security>
Specify the security mode, such as open, based on the Webgate installed.
<primaryServerList>
Specify the host and the port of Managed Server for Oracle Access Manager proxy, under a <Server> container element.
After modifying the file, save the file and close.
If you run the RREG tool once after updating the Webgate parameters in the OAM11GRequest.xml file, the files and artifacts required by Webgate are generated in the following directory:
On UNIX operating systems:
<RREG_Home>/output/<agent_name>
On Windows operating systems:
<RREG_Home>\output\<agent_name>
Note:
You can run RREG either on a client machine or on the server machine. If you are running it on the server machine, you must manually copy the artifacts back to the client machine.
Complete the following steps:
Open the OAM11GRequest.xml file, which is located in the input directory (<RREG_Home>/input/ on UNIX, and <RREG_Home>\input on Windows). <RREG_Home> is the directory where you extracted the contents of RREG.tar.gz/rreg to. Edit this XML file and fill in parameters for the new Oracle HTTP Server Webgate for Oracle Access Manager.
Run the following command on the command line:
On UNIX operating systems:
./<RREG_Home>/bin/oamreg.sh inband input/OAM11GRequest.xml
On Windows operating systems:
<RREG_Home>\bin\oamreg.bat inband input\OAM11GRequest.xml
If you are an end-user with no access to the server, you can email your updated OAM11GRequest.xml file to the system administrator, who can run RREG in the Out-Of-Band mode. You can collect the generated <AgentID>_Response.xml file from the system administrator and run RREG on this file to obtain the Webgate files and artifacts you require.
After you receive the generated <AgentID>_Response.xml file from the administrator, you must manually copy the file to the input directory on your machine.
Complete the following steps:
If you are an end-user with no access to the server, open the OAM11GRequest.xml file, which is located in the input directory (<RREG_Home/input/ on UNIX, and <RREG_Home\input\ on Windows). <RREG_Home> is the directory where you extracted the contents of RREG.tar.gz/rreg to. Edit this XML file and fill in parameters for the new Oracle HTTP Server Webgate for Oracle Access Manager. Send the updated file to your system administrator.
If you are an administrator, copy the updated OAM11GRequest.xml file to the input directory on your machine (<RREG_Home>/input/ on UNIX, and <RREG_Home>\input\ on Windows). This is the file you received from the end-user. Move to your (administrator's) RREG_Home directory and run the following command on the command line:
On UNIX operating systems:
./<RREG_Home>/bin/oamreg.sh outofband input/OAM11GRequest.xml
On Windows operating systems:
<RREG_Home>\bin\oamreg.bat outofband input\OAM11GRequest.xml
An <Agent_ID>_Response.xml file is generated in the output directory on the administrator's machine (<RREG_Home>/output/ on UNIX, and <RREG_Home>output\ on Windows). Send this file to the end-user who sent you the updated OAM11GRequest.xml file.
If you are an application owner, copy the generated <Agent_ID>_Response.xml file to your input directory (<RREG_Home>/input/ on UNIX, and <RREG_Home>input\ on Windows). This is the file you received from the administrator. Move to your (client's) RREG home directory and run the following command on the command line:
On UNIX operating systems:
./<RREG_Home>/bin/oamreg.sh outofband input/<Agent_ID>_Response.xml
On Windows operating systems:
<RREG_Home>\bin\oamreg.bat outofband input\<Agent_ID>_Response.xml
Note:
If you register the Webgate agent using the Oracle Access Manager Administration Console, as described in the "Registering Partners (Agents and Applications) by Using the Console" topic in the Oracle Fusion Middleware Administrator's Guide for Oracle Access Manager, you must manually copy the files and artifacts generated after the registration from the server machine (the machine where Oracle Access Manager Administration Console is running) to the client machine. The files and artifacts are generated in the <MW_HOME>/user_projects/domains/<name_of_the_WebLogic_domain_for_OAM>/output/<Agent_ID> directory.
Files and Artifacts Generated by RREG
Regardless of the method or mode you use to register the new Webgate agent, the following files and artifacts are generated in the <RREG_Home>/output/<Agent ID> directory:
cwallet.sso
ObAccessClient.xml
In the SIMPLE mode, RREG generates:
password.xml, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be the same as the passphrase used on the server.
aaa_key.pem
aaa_cert.pem
In the CERT mode, RREG generates:
password.xml, which contains the obfuscated global passphrase to encrypt the private key used in SSL. This passphrase can be different than the passphrase used on the server.
Note:
You can use these files generated by RREG to generate a certificate request and to get it signed by a third-party Certification Authority. To install an existing certificate, you must use the existing aaa_cert.pem and aaa_chain.pem files along with password.xml and aaa_key.pem.
After RREG generates these files and artifacts, you must manually copy them (cwallet.sso, ObAccessClient.xml, password.xml, aaa_key.pem, aaa_cert.pem, based on the security mode you are using) from the <RREG_Home>/output/<Agent ID> directory to the <Webgate_Instance_Home> directory.
In OPEN mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:
ObAccessClient.xml
cwallet.sso
In SIMPLE mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:
ObAccessClient.xml
cwallet.sso
password.xml
In addition, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config/simple directory:
aaa_key.pem
aaa_cert.pem
In CERT mode, copy the following files from the <RREG_Home>/output/<Agent_ID> directory to the <Webgate_Instance_Home>/webgate/config directory:
ObAccessClient.xml
cwallet.sso
password.xml
After copying the files, you must either generate a new certificate or migrate an existing certificate.
Generating a New Certificate (Only for CERT Mode)
You can generate a new certificate as follows:
From your present working directory, move to the <Webgate_Home>/webgate/ohs/tools/openssl directory.
On the command line, create a certificate request as follows:
./openssl req -utf8 -new -nodes -config openssl_silent_ohs11g.cnf -keyout aaa_key.pem -out aaa_req.pem -rand <Webgate_Home>/webgate/ohs/config/random-seed
Self-sign the certificate as follows:
./openssl ca -config openssl_silent_ohs11g.cnf -policy policy_anything -batch -out aaa_cert.pem -infiles aaa_req.pem
Copy the following generated certificates to the <Webgate_Instance_Home>/webgate/config directory:
aaa_key.pem
aaa_cert.pem
cacert.pem located in the simpleCA directory
Note:
After copying the cacert.pem file, you must rename the file to aaa_chain.pem.
Migrating an Existing Certificate (Only for CERT Mode)
If you want to migrate an existing certificate (aaa_key.pem, aaa_cert.pem, and aaa_chain.pem), be sure to remember the passphrase that you used to encrypt aaa_key.pem. You must enter the same passphrase during the RREG registration process. If you do not use the same passphrase, the password.xml file generated by RREG does not match the paraphrase used to encrypt the key.
If you enter the same passphrase, you can copy these certificates as follows:
From your present working directory, move to the <Webgate_Instance_Home>/webgate/config directory.
Copy the following certificates to the <Webgate_Instance_Home>/webgate/config directory:
aaa_key.pem
aaa_cert.pem
aaa_chain.pem
You can use the Oracle Process Manager and Notification Server (OPMN) command-line tool to start or stop your Oracle HTTP Server instance. If any instances are running, run the following command on the command-line to stop all running instances:
<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl stopall
To restart the Oracle HTTP Server instance, run the following commands on the command line:
<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl start
<Oracle_Home_for_Oracle_HTTP_Server>/opmn/bin/opmnctl startproc ias-component=<Oracle_HTTP_Server_Instance_Name>