System Configuration - Servers, DataSources and Agents

Oracle Access Manager servers are of two types: • OAM administration server • OAM managed server – Contains embedded the OAM and OSSO proxy server to support backward compatibility OAM

System Configuration: Servers, Data Sources,

and Agents

After completing this lesson, you should be able to:

• Manage servers by using the OAM administration (admin)

console and the Oracle WebLogic Server (WLS) admin console

• Manage data sources

– User Identity Store

• Register and manage agents by using the OAM admin

console

• Register agents remotely

• Secure communication between a WebGate and the OAM

server

Practice 4 Overview:

Installing and Configuring OHS 11g

This practice covers the following topics:

• Practice 4-1: Install and configure OHS 11g instances

Road Map

• Installing and configuring agents

• Registering agents: The OAM admin console,

in-band, out-of-band

• Understanding WLS agents

• Managing data sources

• Securing communication between agents and the OAM server

Oracle Access Manager servers are of two types:

• OAM administration server

• OAM managed server

– Contains embedded the OAM and OSSO proxy server to support backward compatibility

OAM servers are initially created by using:

• The WLS Configuration Wizard

OAM servers are managed by using:

• The OAM admin console (primary management interface)

• The WLST command-line interface

• The WLS admin console: status, start/stop

• The EM FMW Control: view logs, start/stop, monitoring,

Creating and Deleting a New Managed Server

• The OAM run-time server runs within the OAM managed

server oam_server1 (default name)

• By using the WLS Configuration Wizard or WLS admin

console or WLST CLI you can:

– Create new managed servers (for clustering – high

availability) – Change the default name and port for managed servers

• By using the OAM admin console or WLST CLI you can:

– Create the definition for new managed servers

Individual Server Properties

• OAM admin console > System Configuration tab > Server

Instances > server_name

• Server Properties:

– Site Name: This is a name for the server instance, defined during initial configuration by using the Configuration Wizard.

– Host: This is the full DNS name (or IP address) of the

computer that is hosting the server instance.

– Port: This is the port on which this server communicates.

– OAM Proxy:

— WebLogic Port: WLS listening port

— Port: OAM proxy instance port

— Proxy Server ID: Identifier of the computer on which the OAM proxy resides

— Mode: Transport security setting for the OAM proxy

– Coherence

OAM Proxy

• Motivation for OAM proxy:

– OAM proxy is installed with each managed server for the OAM server and is used for communication between WebGates and the

OAM 11g server.

– It is used as a legacy access server to provide backward

compatibility for OAM 10g agents that are registered with the OAM 11g server.

– It coexists with 10g WebGates/ASDK.

– It supports OAM 11g WebGates.

• Functionality:

– It shields the 11g server from client-specific behavior and protocol.– It supports the OAP (formerly known as NAP) back channel for

WebGates to the 11g server The default port is 5575.

– It supports HTTP front channel request handling required for

WebGates.

Managing Servers from WLS Admin Console and

– Show Deployments tab

– Show both admin and managed server for OAM

• Command line option to start:

– Admin server: startWeblogic.cmd

– Managed server: startManagedWebLogic.cmd

server_name http://admin_server_host:admin_server_port

Road Map

• Managing OAM servers

• Installing and configuring agents

• Registering agents: OAM admin console,

in-band, out-of-band

• Understanding WLS agents

• Managing data sources

• Securing communication between agents and the OAM server

Oracle Access Manager policy enforcement agents:

• Filter HTTP requests

• Are installed on the Web server

• Are of two types:

– OAM agent: WebGate (10g or 11g) or AccessGate– OSSO agent: mod_osso

WebGate Provisioning and Installation

• Working with WebGate is a two step process:

1 WebGate installation

2 WebGate provisioning

• Provisioning is the process of creating a WebGate profile

in the OAM 11g server

• OAM 11g: Two ways of provisioning:

– Using the OAM 11g console

– Using the remote registration tool

• In OAM 10g, this was achieved by using:

– Access System console > Add AccessGate

Installing and Configuring WebGate 11g

• A WebGate's deployment structure should be aligned to the

OHS 11g directory structure

– WebGate Oracle home:

— All the WebGate binaries and common configuration files reside here.

— It is aligned with OHS 11g ORACLE_HOME.

— Single installation in a Middleware home

– WebGate Instance home:

— All WebGate configuration files are deployed here.

— It is aligned with OHS 11g’s ORACLE_INSTANCE.

— Each OHS instance has one WebGate instance.

• You have the ability to create and configure multiple WebGate

instances.

• A WebGate's module configuration resides in a separate CONF

file (webgate.conf) which gets included in the httpd.conf file of the OHS instance.

Installing and Configuring WebGate 11g

• Installing through OUI installer

– Provide Middleware home

– Updating Web server configuration

EditHttpConf -w <WebGate_instancedir> [-oh

<WebGate Oracle Home>] [-o <output_file>]

Installing and Configuring WebGate 11g

– Registering a WebGate with the OAM 11g server

— Run RREG (artifacts generated in <RREG_HOME>/output/<Agent ID>)

— Copy RREG-generated artifacts to the WebGate instance

Practice 4 Overview: Installing, Creating, and

Configuring an OAM 11g WebGate

This practice covers the following topics:

• Practice 4-2: Install an OAM 11g WebGate

• Practice 4-3: Create an OAM 11g WebGate instance

• Practice 4-4: Configure an OAM 11g WebGate

Road Map

• Managing OAM servers

• Installing and configuring agents

• Registering agents: OAM admin console,

in-band, out-of-band

• Understanding WLS agents

• Managing data sources

• Securing communication between agents and the OAM server

Registering Agents

• Registration is the process of provisioning an agent in the

OAM 11g server, which includes the following:

– An agent profile is created on the server.

– Output artifacts are created on the client or server consumed

by agent run time.

– Default policies are created to protect the agent applications (AuthN or AuthZ).

• Agents are registered by using:

– The OAM admin console (System Configuration > Agents > OAM agents/OSSO agents)

– The remote registration utility (oamreg)

• Agent registration results in automatic creation of a new

application domain named after the agent

Registering Agents

• Agents registration results in:

– A new host identifier created with it’s name as the agent name

– Default Authentication and Authorization policies

– A key is generated for partners (applications) during registration

– A key is generated for the SSO Engine that is used for encrypting and decrypting SSO Cookies (ObSSOCookie for WebGates and mod_osso cookie)

– a new directory -

<MW_HOME>/user_projects/domains/<domain_name>/output/<ag ent_name> - containing :

— ObAccessClient.xml (for WebGate or AccessGate)

— osso.conf file (for mod_osso)

ObAccessClient.xml (OAM 10g) ObAccessClient.xml (OAM 11g)

Generated by configureWebGate tool Generated by remote registration tool

Available on Webgate host Available on OAM server host

Creating or Registering OAM Agents by Using

OAM Admin Console

Viewing and Editing OAM Agent Registration by

Using OAM Admin Console

Creating or Registering OSSO Agents by Using

OAM Admin Console

Viewing and Editing OSSO Agent Registration by

Using OAM Admin Console

Configuring OAM 10g WebGate in an Existing OAM 10g Deployment to Use OAM 11g Server

• Prerequisites:

– Apply the latest patch to OAM 10g WebGates

– Make sure the OAM 11g server (admin and managed) are

up and running

• Register OAM 10g WebGate by using either of the

following:

– The OAM 11g admin console

– The remote registration method

• Manually update the WebGate configuration file

• Restart the Web server

In-Band Versus Out-of-Band Registration of

Agents

• Agent (OAM and OSSO agents) registration by in-band

(within the network) administrators:

– Uses the OAM admin console, or

– Uses a remote registration tool

• Agent (OAM and OSSO agents) registration by out-of-band

(outside the network) administrators:

– Uses the remote registration tool

— Submit the agent registration request to in-band administrators

— Receive a response file from the in-band administrators

— Configure the environment by using the response file

• An in-band administrator must be a registration

administrator

Registration Tool

• This is a Java-based command line tool.

• The oamreg tool is located in

– Create a user and group for registration administrators

– Set username and password for administrators by using the

registration tool

• Mode: inband or outofband

• Input/file: The absolute path to the input file (*request.xml or

*response.xml)

Registration Tool

• In-band request command: <OAM_REG_HOME>

/bin/oamreg.bat inband <OAM_REG_HOME>

/input/*Request*.xml

• Out-of-band request command:

– <OAM_REG_HOME>/ bin/oamreg.bat outofband

<OAM_REG_HOME>/input/*Request*.xml

— <agentname>_Response.xml is the output file

• Out-of-band response command: <OAM_REG_HOME>

/bin/oamreg.bat outofband <OAM_REG_HOME> /input/

<agentname>_Response.xml

• Output files (both in-band and out-of-band modes):

— osso.conf (for OSSO agents)

— ObAccessClient.xml (for OAM 10g and 11g agents)

• Results of running the script:

– Server side: Entry in oam-config.xml file and policy store

— password.xml generated by using the Cert password

— User is prompted for Cert password

Registration Tool

• Results of running the script:

– Client side:

— In-band mode:

— Input file: input/*Request*.xml

— Output file: osso.conf or ObAccessClient.xml files under

— Input file: input/<agentname>_response.xml

— Output file: osso.conf or ObAccessClient.xml files under

%OAM_REG_HOME%/output/<Agent_Name>/

• *Request.xml is an extended file containing tags for all

the fields exposed when viewing or editing an agent by

using the OAM admin console

• *Request_short.xml is an abridged file containing tags

for all the fields exposed when creating an agent by using the OAM admin console

Sample Request File: Short Version

Key Request Parameters

• Mandatory parameters:

– serverAddress – the URL of the OAM 11g admin server

– AgentName – unique identifier name for the agent

– agentBaseUrl – base host:port of the agent

– hostIdentifier – name to identify the host:port of the agent

– protectedResourcesList – relative path for applications to be protected (OAM agents)

– publicResourcesList – relative path for applications that do not need to be protected (OAM agents)

• Some optional parameters:

– Security mode (OAM 10g /11g WebGates) – Open, Simple or Cert,

Default is Open

– applicationDomain – name for the applicationDomain to

be created for the agent

Request File: Parameter Guidelines

Guidelines for parameters:

• <primaryCookieDomain>: Domain of the <agentBaseUrl>

• <preferredHost>: Generally the same as the

<agentBaseUrl>

• <security>: Mode in which the WebGate agent is installed

and the mode in which the OAM proxy is configured to run

• <primaryServerList>: At least one entry for the computer

hosting the run-time (managed) server where the OAM proxy server resides, and the port of the OAM proxy server on this host

• <secondaryServerList>: Is optional and empty by default

In-Band Registration Using oamreg Tool

• Set up the oamreg tool

– Locate RREG.tar.gz file in the following path:

— <OAM_HOME>/oam/server/rreg/client/RREG.tar.gz

– Untar theRREG.tar.gz file to any suitable location.

– Locate oamreg for your platform:

— <untared_location>/rreg/bin/oamreg.sh or oamreg.bat

– In the oamreg script, set the environment variables:

— OAM_REG_HOME = <exploded_dir_for_RREG.tar>/rreg

— JDK_HOME = <Java_location_on_client_computer>

• Modify the request template.

– Under <OAM_HOME>/oam/server/rreg/input,locate one of the request files:

In-Band Registration Using oamreg Tool

• Perform in-band remote registration

– Run the registration command and specify your own

*Request*.xml as the input file:

— <OAM_HOME>\oam\server\rreg\bin\oamreg.bat inband

<OAM_HOME>\oam\server\rreg\input \ OAMRequest_short.xml

In-Band Registration Using oamreg Tool

– Provide the registration administrator username and

password.

– Confirm the Success message on screen.

– Review the native configuration file, ObAccessClient.xml

or osso.conf, created for the agent in the <OAM_HOME>\ oam\server\rreg\output\<agent_name> folder.

• Validate Agent and Application Domain Registration.

– Confirm new agent creation: OAM admin console > System Configuration > Agents

– Confirm ObAccessClient.xml or osso.conf file under

<OAM_HOME>\oam\server\rreg\output\

<agent_name> folder

– Deploy the above file and restart the Web server to bootstrap communication between the WebGate/OSSO agent and the OAM server

In-Band Registration Using oamreg Tool

– Confirm new host identifier: OAM admin console > Policy Configuration > Shared Components > Host Identifier

– Confirm new Policy Domain: OAM admin console > Policy Configuration > Application Domains

• Validate authentication and access after registration

– Enter the URL for an application protected by the registered

– If you authenticate successfully and are granted access to

the resource, the configuration is working properly.

Out-of-Band Registration Using oamreg Tool

• An out-of-band administrator:

– Creates a metadata request containing specific application and agent details

• An in-band administrator:

– Runs the registration command:

— oamreg.sh outofband <oam_home>/oam/server/rreg/ client/rreg/ input/OAMRequest_short.xml

— Enters the registration administrator username and password.

— Output:

<oam_home>/oam/server/rreg/client/rreg/output/< agentName>/<agentname>_response.xml

– Submits this XML file to the out-of-band administrator

Out-of-Band Registration Using oamreg Tool

cwallet.sso (for OAM 11g) configuration files.

– Restarts the Web server.

Out-of-Band registration Using oamreg Tool

Remote Registration: Common Issues

• Verify that a valid user belonging to the group mapped to

“role security admin” exists before performing registration

• Verify that that agent name is unique and not already

registered for each run of remote registration

• Verify that the agent host:port is not already registered

under a different host identifier

10g WebGate Installation: General Comments

• Use the 10.1.4.3.0 WebGate installer.

• Key points to remember:

– For the WebGate ID, use the “agent name” that is specified

by using the OAM admin console or passed to the remote

registration utility during 10g WebGate provisioning.

– For the access server ID, use any unique ID.

– For the access port, use the port on which the OAM proxy is running (for example, 3004).

— View this port in OAM admin console under10g WebGate

profile.