Wednesday, 1 February 2012

How to configure OAM 11g Server and configure 10g + 11g webgates

I think lot of people who are familiar with OAM 10g are having confusion/problems with OAM11g. Ofcourse they would be as OAM 11g is completely re-written and many of its features have changed. In this blog I am going to talk about some feature changes. Walk through the Administration console of OAM 11g. Also, I'll be covering up installation and configuration of 10g webgates and 11g webgates.

As you can see I've tried to put in lot of information and could have been more if I tried to cover up everything. So, for some of the parts I have assumed that you have done the per pre-requisites required for configuring the Weblogic Domain for OAM Server.


This diagram shows architecture of OAM11g server. How all the components fit in internally.

This diagram talks about the actual weblogic server instances and OAM related applications they are running.

You need to execute runInstaller to start the installer for IAMSuite on Linux box. This installer will only copy the binaries to the Oracle Home directory in the Middleware home. It will not perform any configuration of OAM.

Click Next to proceed to next screen.

A prerequisites check is done by the installer. If you find that some OS parameters are not configured correctly modify them and re-run the installer. Also, you might find that some of the packages are missing. You will have to install them.

Provide location of your Oracle Home Directory. This is where your binaries for OAM will be copied to.

Click on Install button to start the installation.



You need to create and configure a new Domain for OAM console and managed servers.

Select the product Oracle Access Manager with Database Policy Store. Also, select Enterprise manager(This is optional component). Required dependent products will be automatically selected.

Provide a name for your domain. Also, at this point you can change the location where you domain will be created. By default it is created in the MW_Home/user_projects directory.

You need to provide a master administor user and its password. This user will be used to login to start the weblogic serves as well as login to administration consoles. Till you re-wire your components to use LDAP repositories.

Ideal scenario it is recommended to run weblogic server in production mode. It is tuned for performance when running in Production mode.

The RCU should have created database schema for OAM. You need to provide connection details to that database instance at this step. OAM's policy information will be stored in it.

You need to make sure that the database connectivity is successful or else when you start your servers your OAM application will fail.

You can either choose to configure Administration server parameters or managed servers or you can leave it default. If you are planning to leave it default no need to check modify settings options.

At this point you can modify the port and the hostname/ipaddress your Admin Server of weblogic will run on.

At this point you can modify the port and the hostname/ipaddress your OAM Managed Server of weblogic will run on. This is the actual OAM application that webgate will be talking to and credential collector will be deployed on.

As this is a standalone server no cluster information is provided.

The Unix machine holds the information for node manager of weblogic server. Nodemanager can be used to start or stop the managed servers from the Weblogic Administration Console.

You need to associate the servers to machine created earlier. You can also do this step later from Weblogic Administration Console.

This is the summary of the Deployments. No need to modify anything at this point.

Once your domain is created successfully. Click on Done to close this configuration wizard.

You can start the Admin Server of weblogic by executing the command startWeblogic.sh.

Provide the weblogic user's credentials to start the Admin Server. At this point your bootstrapping of OAM happens. You need to make sure it starts successfully.



The OAM Administration console is deployed on the Admin Server of weblogic. So you can now access the URL http://hostname:port/oamconsole to login.

Currently weblogic server's embedded ldap is the default user identity store of OAM. So, you need to login as weblogic user. But this can be changed later from OAM Console to point to any supported LDAP Server.

The next few screens will be discussing on what you will find in the OAM Console. As you can see this is the System Configuration tab. Currently we are looking at available services option.

All your session, auditing and coherence related settings are available the Common Settings.



Server instances are your OAM servers. Here you can see/modify the hostname, port, proxy(where agents connect) etc.



Next image talks about the session management in OAM.


There is an option available to see a user's session live from the OAM Console. You can click on search to get list of all the users who are having a valid session. You can delete the sessions from here to force the end users to perform a re-login.

Next few images are about the Certification Validation related configuration. I won't be going too deep into this configuration as it is advanced configuration and not required at this point.



You User Identity Store configuration is where your users are searched/validated from at the time of Authentication/Authorization using OAM.

The Access Manager Settings are for the load balancing configuration. If you have a load balancer or you are planning to use a web server infront of the OAM server in that case these configurations need to be updated.



Now all resources which reside on web server needs to be protected using OAM. For this we need to install Agents on the web servers. There are different types of agents available with different use cases. The most used agent type is the OAM 10g webgate. It works with most of the web servers available in the market.





You can create Agents also known as webgates from SSO Agents --> OAM Agents. From below mentioned screen.

By default IAMSuiteAgent is created at the time of configuration. You do not need to create it. This agent is used for protecting the URLs on the Weblogic Server where your IAMSuite is installed.



If you are planning to use OSSO agents for single sign-on or if you are upgrading your 10g OSSO to OAM11g then you will find that an OSSO agent is created here.

The Authentication Modules are used for mapping Authentication scheme of Policy Configuration with User Identity stores.

For WNA Authentication you need to configure this Kerberos Authentication Module with required parameters. It is not being covered up as it is an advanced topic and requires configuration at Active Directory.

For X509 Authentication you need to configure this X509 Authentication Module with required parameters. It is not being covered up as it is an advanced topic and it can be used to Authenticate a user using certificate.

I won't be talking more on the Security Token Service. I have still added all the screenshots for reference if someone wants to just have a look at them.



















The Policy object names have changed with OAM 11g.

You cannot modify the Resource configuration that is provided OOTB.

Host Identifier is the hostname+port combination used to map a resource to a Webgate instance with a Application Domain.

Authentication Schemes are the mechanism that is going to be applied for challenging the user for credentials. It can be a dialog box, Form, Certificate or Kerberos ticket etc.

In any application domain you will find Resources, Authentication Policies and Authorization Policies. Token issuance policies are used only OSTS. It is not used if you don't have OSTS enabled.

The Authentication Policy is where you define which resource will be protected with which Authentication Scheme. Along with other configuration for setting responses(setting cookie or headers etc.) or an action shown in next screen.

The responses tab is where you define what headers/cookies will be set by OAM server after a user's authentication.





Authorization Policy is the next step where after a successful authentication of a user, an authorization is performed based on the constraints defined. These constraints can be based on Groups, Users, IP range etc. 

In the tab Constrains you can restrict or allow user access to a resource even though he/she is successfully authenticated.

Response tab in authorization policy is similar to responses in authentication policy. In case of authorization policy the responses are applied every time a resource is accessed. This is not the case for authentication policy as it is invoked only once at the time of authentication. Whereas authorization policy is invoked every time a resource is accessed.

You can start OAM's managed server from command line as shown below. You can also start managed server from Weblogic console or enterprise manager's console if you have configured Node Manager.

If your OAM managed server starts up successfully you should see Running Mode. Also, this is managed server instance of Weblogic(not OAM Server application). You need to make sure from weblogic console's deployments if the application oam_server is in running state to ensure that your OAM server came up correctly. 

Now, if you try to access OAMConsole by typing URL http://hostname:port/oamconsole. You will be redirected to OAM server's LDAPScheme's login page.

The next steps talks about creating 10g webgate instances from OAM console as well as installation/configuration of 10g webgate.

You can refer to the Administration Guide of OAM to understand what all the parameters are used for and in what scenarios it is configured for a webgate instance. It is out of scope of this blog to cover up every small detail.





This point I am creating an instance of 11g webgate from the OAM Console. There is a command line utility provided called as the rreg. It can be used to create webgate instances remotely.



Webgate installation can be done in GUI mode or console mode in Linux. If you don't provide any parameter the installation/configuration will start in console mode by default.


Provide appropriate Group/User value using which the webgate instance is going to run. Make sure it is exactly same as what the web server is configured to run.

Provide a location where all your webgate binaries will be copied to.


Webgate uses GCC libraries. Make sure you have downloaded correct libraries from the Oracle website.

Webgate can run in 3 modes. Open mode where communication is not encrypted between webgate and access server. Simple mode where you use Oracle generated certs to encrypt the communication between webgate and access server. Cert mode is used when you are going to use certificates provided by a third party CA. 

This window all webgate configuration information is provided along with access server details so that webgate can successfully connect to access server. 

The httpd.conf file gets updated with webgate parameters. So, when a user tries to access any resource on the web server. The webgate is able to intercept the request and challenge for valid credentials.








Below diagram shows the flow of Login process with webgates/agents.

A quick demo on what happens when a user tries to access a protected resource.

User gets redirected to the Login page.

Now, he is successfully redirected to the requested resource.

Some of the session cookies used by OAM to identify a valid session.





11g webgate uses the OUI for installation of webgate binaries. It needs a valid Middleware home location to install successfully.



Select the middleware home where you want to install this webgate instance. Also, provide a name for Oracle home directory.


This step only copies binaries of webgate doesn't perform any configuration.



Deploy the webgate instance on your OHS 11g web server. At this point 11g webgate is available only for OHS11g web servers. If you have any other web server you need to use 10g webgate.

The second last step is to update the httpd.conf file of OHS11g web server with the parameters of webgate so that webgate can intercept requests for resources.

Copy the artifact files to OHS11g web server for the webgate instance. 

A quick demo on what happens when a user tries to access a protected resource.


7 comments:

Kuntal Godbole said...

FODU !! :D

Just amazed to see how much efforts you have put in creating this post.

Just awesome.

- Kuntal

Richard Ikeda said...

Muito bom cara! Parabéns!

Chu Khanh said...

Can you help to add a oam instance oam_server2 to this guide? I do some helps from other blogs but didn't work. Wonder if you already configure this also.

Unknown said...

Hi,

If you wish to add oam_server2 to existing infrastructure. The minimum requirement is that you have configured a cluster of oam servers. Even though it has only one server oam_server1 in it.

If you already have a cluster all you need to do is clone existing oam_server1 managed server in weblogic server with new name oam_server2 in oam cluster and login to oam console and create a new instance oam_server2.

You can contact me offline. If you need further info on this at yagnesh.gajjar@gmail.com.

Amarpreet Singh Chahal said...

Hi,
Right now you are accessing your application using the HTTP port 7777, but in normal scenario the user will enter the normal URL of the application that will have its own port number, in that case how it will redirect to OAM console for login using webgate.
Thanks

Anonymous said...

Very informative! Thank you!

Unknown said...

Hi yagnesh,
I am having a weird problem happening. I have a cluster (oam_server1 and oam_server2)
I have webgate 11g and webgate 10g setup.
When my one server down I am not able to access 10g agent protected application whereas at the same time I am able to access 11g agent based application? In the 10g agent protected application I get the login page to submit the credentials but once submit it gives 404 error.
Any clue on this?

Thanks