This post describes the steps for configuring Webgate 11g for protecting applications.
Here webgate 18.104.22.168.0 version is used on top of oracle web tier 22.214.171.124.0
OAM 126.96.36.199.0 version is used for authentication and authorization purpose.
OID 188.8.131.52.0 is used as ldap store for user data .
- For this demostration, I have used a Linux VM with 16GB of Physical Memory.
- Installed IDM 184.108.40.206.0 at : /oracle/app/product/fmw_oam
- Installed IDM 220.127.116.11.0 at : /oracle/app/product/fmw_oid
- Installed Webtier 18.104.22.168.0 at : /oracle/app/product/fmw_ohs
- Installed Webgate for OHS22.214.171.124.0 at : /oracle/app/product/fmw_ohs/OAMWebGate
After the product directories are installed ,
A domain is created from “ /oracle/app/product/fmw_oam ” called : oam_domain.
This “oam_domain ” has AdminServer and oam_server running on the same host.
An oid instance was created from ” /oracle/app/product/fmw_oid ” called oid01 .
An ohs instance was created from ” /oracle/app/product/fmw_ohs ” called ohs01
Domain “oam_domain” is created for “OAM 126.96.36.199.0 “. This domain has AdminServer and oam_server running on same host. We call this host as oamtest.demo.com
- First we will deploy one Java Web App – HelloWorld on AdminServer of oam_domain . Download HelloWorld.zip
- This webapp is having a welcome page and links to HR page and Managers Page.
- After deploying the web app to the Admin Console, try to access the application welcome page using Admin Server host name port.
example : http://oamtest.demo.com:7001/HelloWorld/welcome.jsp
Here : oamtest.demo.com – Admin Server listen address and 7001 – admin server port .
- After this, we will configure OHS instance so that Application can be access via ohs . For this, we will be creating a virtual host configuration .
- edit the httpd.conf file with below entry : This is to include the vh.conf file.
## including virtual host configuration file : include /oracle/app/admin/instance/ohs01/config/OHS/ohs01/vh.conf
- create a file : vh.conf with below entries :
The below entries are to create two virtual hosts ” helloworld.com:80 ” and “globalworld.com:80 “
# This file is for configuring all the virtual hosts NameVirtualHost *:8888 <VirtualHost *:8888> ServerName helloworld.com:80 RewriteEngine On RewriteOptions inherit UseCanonicalName On </VirtualHost> <VirtualHost *:8888> ServerName globalworld.com:80 RewriteEngine On RewriteOptions inherit UseCanonicalName On </VirtualHost>
- Now, in file , mod_wl_ohs.conf , enter the below details :
<IfModule weblogic_module> ## configuration for HelloWorld Application <Location /HelloWorld> SetHandler weblogic-handler WebLogicHost oamtest.demo.com WeblogicPort 7001 </Location> </IfModule>
- Restart the ohs instance.
- Try to access the HelloWorld application using the virtual hosts configured :
http://helloworld.com:8888/HelloWorld/ and http://globalworld.com:8888/HelloWorld/
Now as we can see that the links to HR page and Managers page are accessed only when correct username credentials are used and the login page coming is a custom form based.
As we wanted to configure the authentication of this application via OAM , for that purpose , we need to configure WebGate on this OHS server.
- To configure, webgate , blelow command will copy the required files from WebGate Installation dir to OHS config dir.
/oracle/app/product/fmw_ohs/OAMWebGate/webgate/ohs/tools/deployWebGate/deployWebGateInstance.sh -w /oracle/app/admin/instance/ohs01/config/OHS/ohs01 -oh /oracle/app/product/fmw_ohs/OAMWebGate Copying files from WebGate Oracle Home to WebGate Instancedir
- After this, we need to update the ohs config files to include webgate directives .
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:<Oracle_Home_for_Oracle_HTTP_Server>/lib export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/oracle/app/product/fmw_ohs/ohs/lib cd /oracle/app/product/fmw_ohs/OAMWebGate/webgate/ohs/tools/setup/InstallTools ./EditHttpConf -w /oracle/app/admin/instance/ohs01/config/OHS/ohs01 -oh /oracle/app/product/fmw_ohs/OAMWebGate -o /oracle/app/admin/instance/ohs01/config/OHS/ohs01/webgate.out
Once this is done, we can restart the ohs instance and then try to access the application again via urls : http://helloworld.com:8888/HelloWorld/ and http://globalworld.com:8888/HelloWorld/
Error received will be :
Internal Server Error The server encountered an unknown error, possibly due to misconfiguration. Contact the server administrator: [no address given]
This error is coming because , now every request to HelloWorld application via OHS is intercepted by WebGate and WebGate needs to pass this request to OAM server for policy enforcement.Since there is no webgate agent yet configured on OAM server, this error is coming .
Configuration of WebGate Agent 11g on OAM Server using oamconsole :
Logon to oamconsole .
Go to Application Security >> Agents >> Create WebGate Agent and enter below values and click apply .
Version : 11g Name : HelloWebGate Check : Virtual Host options ( as we are using virtual host in ohs ) Protected Resources : /HelloWorld/**
Go to Application Security >> Application Security >> Application Domain >> Serarch for HelloWebGate >> Select it to open it .
Under HelloWebGate >> Resources Tab : " /HelloWorld/** " can be seen with Authentication and Authorization Policy as : "Protected Resource Policy"
Final Step is to transfer the OAM-Agent related files from oam server machine to ohs server machine.
Go to Application Security >> Agents >> Serarch for HelloWebGate >> Select it to open it >> There is a Download button . Clicking this button will download the agent related artifact on the browser machine.
Copy the file from this HelloWebGate.zip to : /oracle/app/admin/instance/ohs01/config/OHS/ohs01/webgate/config directory
Restart the ohs instance .
Try to access the application page : http://helloworld.com:8888/HelloWorld/ and http://globalworld.com:8888/HelloWorld/
At this point of time I received error : 404 – Page now found .
After some debugging , I found that the host identifier was not updated with the actual host of the ohs server .
Once the host identifier was updated with the ohs machine actual hostname, the application page was presented with the OAM login page.