OHS 11g Webgate for OAM 11gR2

Install Oracle HTTP Server 11g

Oracle HTTP Server is available as a webserver component in Oracle Web Tier. Download Oracle Web Tier 11g from Oracle.Create a non root user and extract the installer contents from the downloaded Oracle Web Tier zip file and execute runInstaller.

click Next. If you wish to install software updates enter your credentials

select the Install and Configure option and click Next

Be sure you have all the required prerequisites and then click Next.

Create a new Middleware home 

Enter your details to receive security updates.

Select Oracle HTTP Server

Specify Component Details 

Depending on your configuration, select the Auto Port Configuration option or the Specify Ports Using Configuration File 

Verify the installation summary and click Install

Installing Oracle HTTP Server 11g Webgate

Start the Installer by executing  ./runInstaller -jreLoc <WebTier_Home>/jdk

 Click Next to continue.

Specify the Middleware Home and Oracle Home locations.

Click Install to begin the installation.

Click Finish to dismiss the installer.

Post-Installation Steps

Move to the following directory under your Oracle Home for Webgate: <Webgate_Home>/webgate/ohs/tools/deployWebGate and run the following command to copy the required  agent from the Webgate_Home directory to the Webgate Instance location.

For example,

-bash-4.1$ ./deployWebGateInstance.sh -w /u02/app/ssodxbstage/oracle/ohs3/instances/ohs_instance3/config/OHS/ohs3 -oh /u02/app/ssodxbstage/oracle/Oracle_OAMWebGate1

Copying files from WebGate Oracle Home to WebGate Instancedir

Run the following command to ensure that the LD_LIBRARY_PATH variable

export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/u02/app/ssodxbstage/oracle/ohs3/lib

cd /u02/app/ssodxbstage/oracle/Oracle_OAMWebGate1/webgate/ohs/tools/setup/InstallTools

On the command line, run the following command to copy the apache_webgate.template from the Webgate_Home directory to the Webgate Instance location (renamed to webgate.conf) and update the httpd.conf file to add one line to include the name of webgate.conf

./EditHttpConf -w <Webgate_Instance_Directory> [-oh <Webgate_Oracle_Home>] [-o <output_file>]

-bash-4.1$ ./EditHttpConf -w /u02/app/ssodxbstage/oracle/ohs3/instances/ohs_instance3/config/OHS/ohs3 -oh /u02/app/ssodxbstage/oracle/Oracle_OAMWebGate1

The web server configuration file was successfully updated

/u02/app/ssodxbstage/oracle/ohs3/instances/ohs_instance3/config/OHS/ohs3/httpd.conf has been backed up as /u02/app/ssodxbstage/oracle/ohs3/instances/ohs_instance3/config/OHS/ohs3/httpd.conf.ORIG

Configure SSO for multiple EBS instances

Often there used to be requirements in enterprises to configure SSO for multiple EBS instances  whether it be Dev, UAT, Prod instances or multiple production environments using the same access manager.In such cases mutiple instances can be secured using one application domain,SSO agent and webgate.

Adding Policies to an existing WebGate and Application Domain

Follow the steps below to add the required policies for additional Oracle E-Business Suite integration to an existing WebGate and Application Domain.

•     Change directories to <RREG_Home>/input.
•     Create a new file named EBS_OAM_PolicyUpdate.xml or use the existing to serve as a parameter file to the oamreg tool. Below is a sample.

 <?xml version="1.0" encoding="UTF-8"?>  
 <PolicyRegRequest>  
   <serverAddress>{protocol}://{oam_admin_server_host}:{oam_admin_server_port}</serverAddress>  
   <hostIdentifier>{Identifier for your existing WebGate}</hostIdentifier>  
   <applicationDomainName>{Identifier for your existing WebGate}</applicationDomainName>  
 </PolicyRegRequest>  

      

• Replace {protocol} with either http, or https if the component has been SSL enabled.
• Replace {oam_admin_server_host} with the fully qualified name for your OAM host.
• Replace {oam_admin_server_port} with the weblogic administration server port (the SSL port if the Admin Server has been SSL enabled).
• Replace {Identifier for your existing WebGate} within both the <hostIdentifier> and <applicationDomainName> elements with the Identifier for your existing WebGate.

Create a new file named ebs.oam.conf to serve as URIs file to the oamreg tool.Change directories to <RREG_Home> and run the following command to add the new policies.

     ./bin/oamreg.sh policyUpdate input/EBS_OAM_PolicyUpdate.xml

When prompted for the admin username and password, enter the credentials for your Oracle Access Manager Administrator, by default user "web logic".

When prompted "Do you want to import an URIs file?(y/n)", enter "y".

Enter the full path for the URIs file that you just created as <RREG_Home>/input/ebs.oam.conf.

The script should complete successfully with a Request summary. Login to the OAM console and check if the URIs are added for the new instance.

Configuring Access gate for multiple EBS Instances

The access gate can be deployed on dedicated managed server as eag_server1 protecting ebs_instance1, eag_server2 protecting ebs_instance2 or can be done on the same weblogic server with different context root.A unique name need to be  used for each application deployment.For example: ebsauth_myEBS1, ebsauth_myEBS2.Also the deployment for each Oracle E-Business Suite environment is performed from a separate file system directory.For example: <MW_HOME>/appsutil/accessgate/ebsauth_myEBS1,<MW_HOME>/appsutil/accessgate/ebsauth_myEBS2.Each Oracle E-Business Suite AccessGate application is tied to a single Apps DataSource configuration during deployment.

 Below entry is required on the OHS with the webgate for redirecting to the corresponding access gate.

   <Location /ebsauth_myEBS1>  
    SetHandler weblogic-handler  
    WebLogicHost eaghost.example.com  
    WebLogicPort 8099  
   </Location>  
   <Location /ebsauth_myEBS2>  
    SetHandler weblogic-handler  
    WebLogicHost eaghost.example.com  
    WebLogicPort 8099  
   </Location>  

Cleanup for Logout from Oracle E-Business Suite

On the WebTier, locate the file oacleanup.html that you copied during Oracle E-Business Suite AccessGate installation to the /public subdirectory on your htdocs root directory.For example $ORACLE_INSTANCE/config/OHS/ohs1/htdocs/public/oacleanup.html

Edit the file and replace CONTEXT_ROOT with the value of the context root for any deployment of Oracle E-Business Suite AccessGate protected by this WebGate. For example:

<script type="text/javascript" src='/ebsauth_myEBS/ssologout_callback?mode=cleanup'></script>

Search for the following line and add a callback for each additional logout callback.

 function doLoad()  
 {  
 logoutHandler.addCallback('/ebsauth_myEBS/ssologout_callback');  
 logoutHandler.addCallback('http://webgatehost2.example.com:7780/ebsauth_myEBS2/ssologout_callback');  

Zero Sign-On (ZSO) or IWA for IIS 8 applications using OAM11GR2

Both  Zero Sign-On (ZSO) and Single Sign-On (SSO) means that user has one username and password (e.g.Active Directory username and password) for the SSO enabled application but ZSO  authenticates seamlessly without prompting for a username and password using  the desktop credential which is achieved using kerberos protocol.Below are the steps to configure ZSO for .NET websites running on IIS server using Oracle access manager.

Environment

OAM :11.1.2.2.0 

Web server:IIS 8 on Windows Server 2012 R2 

Webgate: 11.1.2.2.0

Prerequisite

• Install Visual C++ Redistribution for Visual Studio 2012 Update 4 or else the files will not be copied properly during installation
• Install a 64-bit Java runtime environment (JRE), 1.6 or higher  
• It is recommended to run the command prompt as administrator and execute all the scripts
• Make sure to provide full access for the middleware home and the webgate instance folders.
• Make sure the site is deployed on IIS server and able to list  using the command. 

      %systemroot%\System32\inetsrv>appcmd.exe list sites 

Installing IIS 11g WebGate

Extract the contents of the webgate.zip file to a directory, Go to the Disk1 and run the below command.

setup.exe -jreLoc 64_bit_jre_location

Click Next to continue.

Click Next to continue.

Specify the Middleware Home and Oracle Home locations.

Click Install to begin the installation.

Click Finish to dismiss the Installer.

To deploy the WebGate instance , Go to the webGate_Oracle_Home\webgate\iis\tools\deployWebGate  directory and run the following command

deployWebGateInstance.bat -w WebGate_Instancedir -oh WebGate_Oracle_Home -ws WebServer

To run the ConfigureIISWebGate.bat tool,go to the WebGate_Home\webgate\iis\tools\ConfigureIISConf and run the below command. 


ConfigureIISWebGate.bat -oh c:\WGHome -w c:\WGInstance -site "mysite"

Make sure the webgate.ini has some entry as below for the registered web gate instance.19 represents the site id protected by the access gate.

Also make sure the ISAPI filters are added pointing to the webgate.dll as below.

Register the WebGate using RREG

The web gate registration can be done from the OAM console or the rreg scripts. For registering using the scripts navigate to OAM_REG_HOME/bin and execute the below command.

$ ./oamreg.sh inband input/test_OAMRequest.xml 

Copy the files generated in the RREG_Home\output\Agent_ID  to the WebGate_Instance_Home\webgate\config directory

Make sure the sso agent is registered as 11g webgate.

Configure OAM to use WNA

• Create a  user in Microsoft Active Directory for example oamuser.

• Run ktpass on the KDC server to create the SPN (service principal name)  and associate it with this user. For example

ktpass -princ HTTP/myhost.mydomain.com@DOMAIN.COM -pass ***** 

-mapuser oamuser -out D:\etc\oam.keytab

where myhost.mydomain.com is the FQDN of the host where access manager is running or the host name of the loadbalancer VIP in case of OAM cluster.

• Edit the /etc/krb5.conf file to include the domain and the KDC server.

• Configure the Kerberos authentication scheme to use WNA by Logging in to the OAM console ->Launch Pad ->Authentication schemes >KerberosScheme and change the challenge method to WNA

Login to the OAM console ->Launch Pad ->Authentication Modules >Kerberos and change the default values to the actual values.

• Configure the application domain protecting the resource to use the Kerberos authentication scheme.

• Register the active directory as the identity store and make this as the primary user identity store for Oracle Access Manager.

After you start the IIS Web Server (iisreset), log in to the site by using the following URL without entering any credentials.

http://myhost.domain.com:port

OID - Active Directory Child Domain synchronization using Oracle Directory Integration Platform

It is required to use Oracle Internet Directory(OID) as LDAP directory for implementing SSO for Oracle products like EBS using Oracle Access Manager.If you are using any other LDAP servers like Microsoft Active directory across the enterprise it will be required to use Oracle Directory Integration Platform for synchronizing the directories.

If all the users from the third party directory are not required into OID we can use filters like AD groups and make use of the filtering in the DIP synchronization profiles to bring in the selected users.If the AD you are connecting to is a global catalog server rather than the child domain with a referral the users from the child domain is expected to get synced to the OID.But if it is a referral child domain ldap search will fail with below error.

$ORACLE_HOME/bin/ldapsearch -h ADhost -p port -D "admin@mydomain.com" -w welcome1 -b "cn=users,dc=child1,dc=mydomain,dc=com" -s sub"objectclass=*"

ldap_search: LDAP Referral Error
ldap_search: additional info: 0000202B: RefErr: DSID-0310063C, data 0, 1 access points 
ref 1: 'child1.mydomain.com' 

If there is no global catalog server the solution for this will be to create a new synchronization profile in DIP pointing to the child domain directly.This can be targeted to the new container in OID or a new one.The ldapsearch query can be run against the child Domain controller to verify if all the user accounts of interest including all attributes and values that will be synchronized are pulled in the query using the filter if any.

$ORACLE_HOME/bin/ldapsearch -h ChildADhost -p port -D "admin@mydomain.com" -w welcome1 -b "cn=users,dc=child1,dc=mydomain,dc=com" -s sub"objectclass=*"


To manually create the AD OID integration profile and setup the synchronization perform the below steps

• Launch the FMW Enterprise Manager console and login with weblogic user.
• Expand your domain and Navigate to Identity and Access
• Select DIP
• From the DIP Server drop down list select Administration , then Synchronization Profiles
• Using the navigation path, create a new DIP Sync profile with a name , you can give your name.For Example take it as AD2OID is the integration profilename , in this window you'll be asked to enter the AD details
• For the attribute Use DIP-OID as Source or Destination , you need to select the option Destination if you are using import (AD to OID) sync or select Sourceoption if you are using Export (OID to AD) sync. Also source type you need to select Active Directory(MS) from the drop down next type.
• After Providing the above mentioned details in the general tab click on Test Connection Tab, If the provided values are correct you'll see the Information dialogue saying that "Test Passed.Connection Successful". If the values provided for AD are wrong in the General tab , when you click on the Test Connection, you will get an Error dialogue saying Authentication Failure,Make sure that you provide the correct values and get connection Successful to move Further
• Then Click on OK to Save the profile.Now select the AD2OID profile from the list of available profiles and click on Edit.
• Now select the Mapping tab and configure mapping like below

Configure Domain Rules Click on Create option, You'll get a Add Mapping Rule Window , in that Select the Source Container DN and OID container DN from the lookup windows provided and click on OK. 

Validate / re-Validate mapping until you have no errors, warnings are OK

Make sure the user account used has read access privileges to the sub tree root.

SSO Logout for Oracle eBusiness Suite integrated with OAM 11g

We had set up single sign on for Oracle EBusiness Suite R12 using OAM 11g.We used WNA to enaele seamless SSO uisng the windows logged in credentials.

But when the users clicked on logout it was again redirecting to the home page and a new session was created in the database.

To overcome the issue we did the below changes.

Search for the OAMLogin.jsp in the deployed war file of the access gate and change the redirect URL as below.

Path:$EBS_DOMAINHOME/servers/AdminServer/tmp/_WL_user/<access_gate>/24wo2p/war

 if ("CookieCleanup".equals(request.getParameter("phase")))  
    {              
         response.sendRedirect(request.getContextPath()+"/logout.html");  
         return;  
    }  

Copy the logout.html to the same directory as OAMLogin.jsp. The logout html file can be found in the exploded war file which redirects to the Logout.jsp

Path for Logout.jsp $OAMDomain/servers/oam_server1/tmp/_WL_user/oam_server/xrd2uw/war/pages

This page can be customized according to the needs.So now if the user clicks on logout they will be redirected to the logout page and the session gets killed in the database.

Unable to login to OAM 11g Console after LDAP Authentication Module Is Changed To Use a New Identity Store

We were unable  login to the OAM console  after changing the identity store used by the LDAP authenication scheme. In our case it was IdentityStore1  and got changed to ADStore. So we had to revert the values in oam-config.xml to login to the console  again.

Weblogic server maintains multiple back ups of the file in the below location.

DOMAIN_HOME/config/fmwconfig/oam-config.xml

We found there was a backup file existing  before the change happened. So by restoring the file and restarting the servers we were able to login to the console.

If you cannot find the any backup of the file in the folder just edit the oam-config.xml and setting the correct ldap id. For example,

 <Setting Name="ldapid" Type="xsd:string">UserIdentityStore</Setting>