Step by Step instructions to install and configure OAM 11g Webgate (11.1.1.5) with Oracle HTTP Server (OHS) 11g (11.1.1.5) are described in this article. OAM 11g Server supports 10g Webgates, 11g Webgates, and OSSO (mod_osso) agents. 11g Webgate has got few security enhancements. Here is a quick list of differences between 10g and 11g Webgates.

Feature11g Webgate10g Webgate
Download PageOracle Identity Management 11gOracle Identity Management 10g (10.1.4.x)
PlatformGeneric version for all platformsPlatform Specific
JDKJDK is requiredJDK is NOT required
GCC LibrariesRequiredRequired
Agent RegistrationsCan be performed after Webgate installationTo be performed before Webgate installation
OHS Integrationto be performed after installation (manually)Installer updates OHS configurations
Webgate CookieOAMAuthnCookie_<host:port>_<random number>ObSSOCookie
OAM Server CookieOAM_IDOAM_ID
Webgate Request CookieOAM_REQOAM_REQ

High level steps are:

  1. Download 11g Webgate

  2. Install 11g Webgate

  3. Configure OHS 11g with 11g Webgate

  4. Remote Registration of 11g Webgate

  5. Test the login

  6. Troubleshooting

Download 11g Webgate

1. Download OAM 11g Webgate from http://download.oracle.com/otn/nt/middleware/11g/111150/ofm_webgates_generic_11.1.1.5.0_disk1_1of1.zip

2. If not already available, download and Install JDK from http://www.oracle.com/technetwork/java/javase/downloads/jdk-6u29-download-513648.html. I have installed JDK in /oracle/middleware/jdk.

Install 11g Webgate

Create a GCC Libraries folder and copy the necessary files into it. GCC Libraries are needed by the Webgate.

[OHS@ohs ~]$ mkdir /oracle/middleware/gcclib
[OHS@ohs ~]$ cp /lib64/libgcc_s.so.1 /oracle/middleware/gcclib/
[OHS@ohs ~]$ cp /usr/lib64/libstdc++.so.5 /oracle/middleware/gcclib
[OHS@ohs ~]$ cp /usr/lib64/libstdc++.so.6 /oracle/middleware/gcclib/
[OHS@ohs ~]$ ls -ltr /oracle/middleware/gcclib
total 2048
-rwxr-xr-x 1 oracle oinstall  58400 Mar  4 11:04 libgcc_s.so.1
-rwxr-xr-x 1 oracle oinstall 825400 Mar  4 11:04 libstdc++.so.5
-rwxr-xr-x 1 oracle oinstall 976312 Mar  4 11:04 libstdc++.so.6
[OHS@ohs ~]$

Now, launch the installer and enter JDK installation location.

[oracle@ohs 11.1.1.5.0]$ unzip ofm_webgates_generic_11.1.1.5.0_disk1_1of1.zip
[oracle@ohs 11.1.1.5.0]$ cd Disk1
[oracle@ohs Disk1]$ ls -ltr
total 112
-rwxrwxr-x  1 oracle oinstall 13307 Dec 20  2010 runInstaller
-rwxrwxr-x  1 oracle oinstall 86016 Mar 28  2011 setup.exe
drwxrwxr-x 12 oracle oinstall  4096 May  5  2011 install
drwxr-xr-x 13 oracle oinstall  4096 May  5  2011 stage
[oracle@ohs Disk1]$ ./runInstaller 
Starting Oracle Universal Installer...

Checking if CPU speed is above 300 MHz.    Actual 3336 MHz    Passed
Checking Temp space: must be greater than 150 MB.   Actual 2621 MB    Passed
Checking swap space: must be greater than 512 MB.   Actual 2047 MB    Passed
Checking monitor: must be configured to display at least 256 colors.    Actual 65536    Passed
Preparing to launch Oracle Universal Installer from /tmp/OraInstall2012-03-04_10-57-26AM. Please wait ...
Please specify JRE/JDK location ( Ex. /home/jre ), <location>/bin/java should exist :/oracle/middleware/jdk
Installing and Configuring 11g Webgate with OHS 11g 003
Installing and Configuring 11g Webgate with OHS 11g 004
Installing and Configuring 11g Webgate with OHS 11g 005
Installing and Configuring 11g Webgate with OHS 11g 006
Installing and Configuring 11g Webgate with OHS 11g 007
Installing and Configuring 11g Webgate with OHS 11g 008
Installing and Configuring 11g Webgate with OHS 11g 009

Configure OHS 11g with 11g Webgate

Webgate installer would not update OHS configuration. So, OHR has to be manually updated here. As shown above, I have installed Webgate 11g in /oracle/middleware/webgate.11g and OHS Instance location is /oracle/middleware/instances/ohs. The following step would create a webgate instance directory in ORACLE_INSTANCE of OHS 11g.

[OHS@ohs ~]$ cd /oracle/middleware/webgate.11g/webgate/ohs/tools/deployWebGate
[OHS@ohs deployWebGate]$ ./deployWebGateInstance.sh -w /oracle/middleware/instances/ohs/config/OHS/ohs1  -oh /oracle/middleware/webgate.11g
Copying files from WebGate Oracle Home to WebGate Instancedir
[OHS@ohs deployWebGate]$

Now, let’s update httpd.conf with the Webgate configuration.

[OHS@ohs deployWebGate]$ export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/oracle/middleware/ohs/lib
[OHS@ohs deployWebGate]$ cd /oracle/middleware/webgate.11g/webgate/ohs/tools/setup/InstallTools
[OHS@ohs InstallTools]$ ./EditHttpConf -w /oracle/middleware/instances/ohs/config/OHS/ohs1 -oh /oracle/middleware/webgate.11g
The web server configuration file was successfully updated
/oracle/middleware/instances/ohs/config/OHS/ohs1/httpd.conf has been backed up as /oracle/middleware/instances/ohs/config/OHS/ohs1/httpd.conf.ORIG.1
[OHS@ohs InstallTools]$

Remote Registration of 11g Webgate

If you’re using remote registration (RREG) tool for the first time, extract RREG.tar.gz and set OAM_REG_HOME and JAVA_HOME in oamreg.sh. This can be done on either OHS server or OAM Server. I have picked OAM Server for RREG tool. 

[oracle@oam ~]$ tar xzf $ORACLE_HOME /oam/server/rreg/client/RREG.tar.gz $ORACLE_HOME
[oracle@oam ~]$ cd $ORACLE_HOME/rreg/bin
[oracle@oam ~]$ diff oamreg.sh oamreg.sh.orig
16c16
< OAM_REG_HOME="/oracle/middleware/oam/rreg"
---
> OAM_REG_HOME=${OAM_REG_HOME-${SCRIPT_PATH}/..}
19c19
< JAVA_HOME="/oracle/middleware/jdk"
---
> JAVA_HOME=$JAVA_HOME
[oracle@oam ~]$

Create an input for RREG tool (for inband operation as this is performed on OAM Server and by OAM Admin). I have root protected all the URLs and unprotect /index.html and /unprotectedbyoam.html, excluded /excludedbyoam.html.

[oracle@oam ~]$ cat /oracle/middleware/oam/rreg/input/OHS_WebGate11g.xml 
<?xml version="1.0" encoding="UTF-8"?>

<!-- 
 Copyright (c) 2009, 2011, Oracle and/or its affiliates. All rights reserved. 

   NAME: OAM11GRequest_short.xml - Template for OAM 11G Agent Registration Request file
         (Shorter version - Only mandatory values - Default values will be used for all other fields)
   DESCRIPTION: Modify with specific values and pass file as input to the tool.

-->
<OAM11GRegRequest>

   <serverAddress>http://localhost:7002</serverAddress>
    <hostIdentifier>OHS_HOST</hostIdentifier>
    <agentName>OHS_OHS11G_WEBGATE11G</agentName>
    <protectedResourcesList>
        <resource>/</resource>
        <resource>/.../*</resource>
    </protectedResourcesList>
    <publicResourcesList>
        <resource>/index.html</resource>
        <resource>/unprotectedbyoam.html</resource>
    </publicResourcesList>
    <excludedResourcesList>
        <resource>/excludedbyoam.html</resource>
    </excludedResourcesList>

</OAM11GRegRequest>
[oracle@oam ~]$

Now, let’s the RREG tool to create the artifacts files needed to be copied to Webgate folder on OHS Server from OAM Server.

[oracle@oam ~]$ cd $ORACLE_HOME/rreg
[oracle@oam rreg]$ ./bin/oamreg.sh inband input/OHS_WebGate11g.xml
JAVA_HOME=/oracle/middleware/jdk
CLASSPATH=/oracle/middleware/oam/rreg/lib/rreg.jar:/oracle/middleware/oam/rreg/lib:/oracle/middleware/oam/rreg/lib/RequestResponse.jar:/oracle/middleware/oam/rreg/lib/commons-codec-1.3.jar:/oracle/middleware/oam/rreg/lib/commons-httpclient-3.1.jar:/oracle/middleware/oam/rreg/lib/commons-logging-1.1.1.jar:/oracle/middleware/oam/rreg/lib/ojmisc.jar:/oracle/middleware/oam/rreg/lib/jps-api.jar:/oracle/middleware/oam/rreg/lib/jps-internal.jar:/oracle/middleware/oam/rreg/lib/jps-common.jar:/oracle/middleware/oam/rreg/lib/identitystore.jar:/oracle/middleware/oam/rreg/lib/identityutils.jar:/oracle/middleware/oam/rreg/lib/ldapjclnt11.jar:/oracle/middleware/oam/rreg/lib/dms.jar:/oracle/middleware/oam/rreg/lib/fmw_audit.jar:/oracle/middleware/oam/rreg/lib/ojdl.jar:/oracle/middleware/oam/rreg/lib/oraclepki.jar:/oracle/middleware/oam/rreg/lib/osdt_cert.jar:/oracle/middleware/oam/rreg/lib/osdt_core.jar:/oracle/middleware/oam/rreg/lib/osdt_jce.jar:/oracle/middleware/oam/rreg/lib/osdt_saml.jar:/oracle/middleware/oam/rreg/lib/osdt_xmlsec.jar:/oracle/middleware/oam/rreg/lib/xmlparserv2.jar:/oracle/middleware/oam/rreg/lib/jps-unsupported-api.jar:/oracle/middleware/oam/rreg/lib/nap-api.jar:/oracle/middleware/oam/rreg/lib/utilities.jar:.
OAM_REG_HOME=/oracle/middleware/oam/rreg
------------------------------------------------
Welcome to OAM Remote Registration Tool!
Parameters passed to the registration tool are: 
Mode: inband
Filename: /oracle/middleware/oam/rreg/input/OHS_WebGate11g.xml
Enter admin username:weblogic
Username: weblogic
Enter admin password:          
Do you want to enter a Webgate password?(y/n):
n
Do you want to import an URIs file?(y/n):
n

----------------------------------------
Request summary:
OAM11G Agent Name:OHS_OHS11G_WEBGATE11G
URL String:OHS_HOST
Registering in Mode:inband
Your registration request is being sent to the Admin server at: http://localhost:7002
----------------------------------------

Inband registration process completed successfully! Output artifacts are created in the output folder.
[oracle@oam rreg]$

Now, copy these files to OHS Server.

[oracle@oam ~]$ scp /oracle/middleware/oam/rreg/output/OHS_OHS11G_WEBGATE11G/* ohs:/oracle/middleware/instances/ohs/config/OHS/ohs1/webgate/config

That’s all. Restart OHS and check OAM Console to see if things are right and assign the desired AuthenticationScheme to this OHS resources.

Installing and Configuring 11g Webgate with OHS 11g 010 Installing and Configuring 11g Webgate with OHS 11g 011

Troubleshooting

Problem. 1: The library libstdc++.so.6 does not exists in the provided location

Fix: This can happen when libstdc++.so.6 does not exist or when bit mismatches between OS (64bit) and OHS (32bit). If OHS is 32bit and installing 32bit GCC libraries on 64bit OS, run 11g Webgate installer from 32bit shell (for example: linux32 sh)

Problem. 2: The AccessGate is unable to contact any Access Servers / Exception thrown during WebGate initialization on Solaris environments with OAM in Simple Security Mode (instead of open).

Fix: This has something to do with PKCS11-Solaris security provider. Apply OAM 11.1.1.5 BP02 (Patch 13115859) to fix this. Please refer to bug#: 12716214 and note#: 1395791.1 for more information.