4
System Configuration: Servers, Data Sources,
and Agents
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Objectives
After completing this lesson, you should be able to:
•
Manage servers by using the OAM administration
(admin) console and the Oracle WebLogic Server (WLS)
admin console
•
Manage data sources
– User Identity Store
•
Register and manage agents by using the OAM admin
console
•
Register agents remotely
•
Secure communication between a WebGate and the OAM
server
4-2
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Practice 4 Overview:
Installing and Configuring OHS 11g
This practice covers the following topics:
•
4-3
Practice 4-1: Install and configure OHS 11g instances
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
•
•
•
•
•
4-4
Managing OAM servers
Installing and configuring agents
Registering agents: The OAM admin console,
in-band, out-of-band
Understanding WLS agents
Managing data sources
Securing communication between agents and the OAM
server
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Servers
Oracle Access Manager servers are of two types:
•
OAM administration server
•
OAM managed server
– Contains embedded the OAM and OSSO proxy server to
support backward compatibility
OAM servers are initially created by using:
•
The WLS Configuration Wizard
OAM servers are managed by using:
•
•
•
•
4-5
The OAM admin console (primary management interface)
The WLST command-line interface
The WLS admin console: status, start/stop
The EM FMW Control: view logs, start/stop,
monitoring, operational metrics
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Creating and Deleting a New Managed Server
4-7
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Managing Servers
•
The OAM admin server is also know as WLS admin server
AdminServer (admin).
– The OAM admin console and EM FMW Control run within
the admin server.
•
The OAM run-time server runs within the OAM managed
server oam_server1 (default name).
•
By using the WLS Configuration Wizard or WLS admin
console or WLST CLI you can:
– Create new managed servers (for clustering – high
availability)
– Change the default name and port for managed servers
•
By using the OAM admin console or WLST CLI you can:
– Create the definition for new managed servers
– Set the individual and common server properties
4-8
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Individual Server Properties
•
OAM admin console > System Configuration tab > Server
Instances > server_name
•
Server Properties:
– Site Name: This is a name for the server instance, defined
during initial configuration by using the Configuration Wizard.
– Host: This is the full DNS name (or IP address) of the
computer that is hosting the server instance.
– Port: This is the port on which this server communicates.
– OAM Proxy:
—
WebLogic Port: WLS listening port
—
Port: OAM proxy instance port
—
Proxy Server ID: Identifier of the computer on which the OAM
proxy resides
—
Mode: Transport security setting for the OAM proxy
– Coherence
4-9
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
OAM Proxy
•
Motivation for OAM proxy:
– OAM proxy is installed with each managed server for the OAM
server and is used for communication between WebGates and the
OAM 11g server.
– It is used as a legacy access server to provide backward
compatibility for OAM 10g agents that are registered with the OAM
11g server.
– It coexists with 10g WebGates/ASDK.
– It supports OAM 11g WebGates.
•
Functionality:
– It shields the 11g server from client-specific behavior and protocol.
– It supports the OAP (formerly known as NAP) back channel for
WebGates to the 11g server. The default port is 5575.
– It supports HTTP front channel request handling required for
WebGates.
4 - 11
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Managing Servers from WLS Admin Console and
Command Line
•
WLS Admin Console > <Domain_Name> > Environment > Servers
•
Common Operations:
– Start/Stop screenshots
– Show Deployments tab
– Show both admin and managed server for OAM
•
Command line option to start:
– Admin server: startWeblogic.cmd
– Managed server: startManagedWebLogic.cmd
server_name http://admin_server_host:admin_server_port
4 - 12
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
•
•
•
•
•
4 - 13
Managing OAM servers
Installing and configuring agents
Registering agents: OAM admin console,
in-band, out-of-band
Understanding WLS agents
Managing data sources
Securing communication between agents and the OAM
server
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Agents
Oracle Access Manager policy enforcement agents:
•
Filter HTTP requests
•
Are installed on the Web server
•
Are of two types:
– OAM agent: WebGate (10g or 11g) or AccessGate
– OSSO agent: mod_osso
4 - 14
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
WebGate Provisioning and Installation
•
Working with WebGate is a two step process:
1. WebGate installation
2. WebGate provisioning
•
Provisioning is the process of creating a WebGate
profile in the OAM 11g server
•
OAM 11g: Two ways of provisioning:
–
–
•
In OAM 10g, this was achieved by using:
–
4 - 17
Using the OAM 11g console
Using the remote registration tool
Access System console > Add AccessGate
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Installing and Configuring WebGate 11g
•
A WebGate's deployment structure should be aligned
to the OHS 11g directory structure.
– WebGate Oracle home:
—
—
—
All the WebGate binaries and common configuration files
reside here.
It is aligned with OHS 11g ORACLE_HOME.
Single installation in a Middleware home
– WebGate Instance home:
—
—
—
•
•
4 - 18
All WebGate configuration files are deployed here.
It is aligned with OHS 11g’s ORACLE_INSTANCE.
Each OHS instance has one WebGate instance.
You have the ability to create and configure
multiple WebGate instances.
A WebGate's module configuration resides in a
separate CONF file (webgate.conf) which gets
included in the httpd.conf file of the OHS instance.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Installing and Configuring WebGate 11g
•
Installing through OUI installer
– Provide Middleware home
•
Post-install configuration
– Deploying WebGate instance
deployWebGateInstance -w
<WebGate_instancedir> -oh
Home>
– Updating Web server configuration
EditHttpConf -w <WebGate_instancedir> [-oh
<WebGate Oracle Home>] [-o <output_file>]
4 - 19
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Installing and Configuring WebGate 11g
– Registering a WebGate with the OAM 11g server
—
Run RREG (artifacts generated in
<RREG_HOME>/output/<Agent ID>)
—
Copy RREG-generated artifacts to the WebGate instance
—
—
—
—
—
ObAccessClient.xml
cwallet.sso
password.xml (simple & cert)
aaa_key.pem (simple)
aaa_cert.pem (simple)
– Restart the Web server
4 - 20
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Practice 4 Overview: Installing, Creating, and
Configuring an OAM 11g WebGate
This practice covers the following topics:
•
Practice 4-2: Install an OAM 11g WebGate
•
Practice 4-3: Create an OAM 11g WebGate instance
•
Practice 4-4: Configure an OAM 11g WebGate
4 - 21
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Road Map
•
•
•
•
•
•
4 - 22
Managing OAM servers
Installing and configuring agents
Registering agents: OAM admin console,
in-band, out-of-band
Understanding WLS agents
Managing data sources
Securing communication between agents and the OAM
server
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Registering Agents
•
Registration is the process of provisioning an agent
in the OAM 11g server, which includes the following:
– An agent profile is created on the server.
– Output artifacts are created on the client or server consumed
by agent run time.
– Default policies are created to protect the agent applications
(AuthN or AuthZ).
•
Agents are registered by using:
– The OAM admin console (System Configuration > Agents >
OAM agents/OSSO agents)
– The remote registration utility (oamreg)
•
4 - 23
Agent registration results in automatic creation of a
new application domain named after the agent.
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Registering Agents
•
Agents registration results in:
–
–
–
–
A new host identifier created with it’s name as the agent name
Default Authentication and Authorization policies
A key is generated for partners (applications) during registration
A key is generated for the SSO Engine that is used for encrypting
and decrypting SSO Cookies (ObSSOCookie for WebGates and
mod_osso cookie)
– a new directory <MW_HOME>/user_projects/domains/<domain_name>/output/
ent_name> - containing :
—
—
ObAccessClient.xml (for WebGate or AccessGate)
osso.conf file (for mod_osso)
ObAccessClient.xml (OAM 10g) ObAccessClient.xml (OAM 11g)
4 - 25
Generated by configureWebGate tool
Generated by remote registration tool
Available on Webgate host
Available on OAM server host
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Creating or Registering OAM Agents by Using
OAM Admin Console
4 - 26
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Viewing and Editing OAM Agent Registration by
Using OAM Admin Console
4 - 28
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Creating or Registering OSSO Agents by Using
OAM Admin Console
4 - 32
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Viewing and Editing OSSO Agent Registration by
Using OAM Admin Console
4 - 33
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.
Configuring OAM 10g WebGate in an Existing
OAM 10g Deployment to Use OAM 11g Server
•
Prerequisites:
– Apply the latest patch to OAM 10g WebGates
– Make sure the OAM 11g server (admin and managed) are up
and running
•
Register OAM 10g WebGate by using either of the
following:
– The OAM 11g admin console
– The remote registration method
•
Manually update the WebGate configuration file
•
Restart the Web server
4 - 35
Copyright © 2010, Oracle and/or its affiliates. All rights reserved.