Configuring Detached Credential Collector Webgate 11g with Oracle Traffic Director Server

Pre-requisites:

1. OTD is installed & is in running state.
2. Origin Server like OHS is configured in origin server pool settings.
3. WebGate 11g is configured with OTD - you are able to execute ECC Scenario (this step is just to verify that setup is done properly).

This chapter is divided into :

• Configure OHS Server (here we have used OHS server as origin server with OTD)
• Creating DCC Webgate Profile in OAM Server
• Accessing OTD Protected resource.

Quickly i will show you the OTD Admin Console & Config done on it:

Let's begin the configuration process:

1) In order to enable DCC configuration in OTD, we need the resources used by DCC like login.pl, logout.pl etc present at OHS Server.

• Now the question arises why at OHS not at OTD? Because in OTD we have to rely on origin server to provide the resources.
• Now second question - from where we will get the resources. It is simple to answer. You can get these resources from OTD webgate installed directory.

bash$> ls /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso*

• So simply copy these 2 folder in OHS server instance directory:
• Copy the oamsso-bin folder:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso-bin /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/oamsso-bin/

• Copy the oamsso folder under htdocs directory:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/htdocs/oamsso/ 

• Ok, we have the resources with us. Now it is required to config the OHS httpd.conf file.

This is what we have added:

1) 

 ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/"

    Alias /oamsso/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/oamsso/"

2) 

<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin">

    AllowOverride None

    Options None

    Order allow,deny

    Allow from all

</Directory>

• Done.. We need to check whether we are able to access the resource. So how we will do this. Simple man - start the ohs server & access the resource.

bash$> cd /Middleware_Home/Oracle_WT1/instances/instance1/bin

bash$> ./opmnctl startall

Server started.....

• Access the resource hit the url- http://<host:port>/oamsso-bin/login.pl

You will be able to see the login.pl resource.

2) We are done with OHS settings, now proceed to create a DCC webgate profile at OAM Server. to do this follow: Configure DCC Webgate Profile

• Copy the created artifacts to the OTD Webgate instance directory.

bash$>cp /Middlware_Home/user_projects/domains/base_domain/output/dcc-9090/* /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/otd_instance/dcc-inst/config/

Note: My otd webgate instance is present in the otd installed directory itself. May be your directory structure might be different than mine. So no need to worry.

3) Now restart the OTD Instance:

bash$> cd /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/instances/bin/net-otd/
bash$> ./stopserv
Server Stopped....

bash$> ./startserv
Server Started....

You can restart/start/stop the otd instance from OTD Admin Console as well......

4) Access a protected resource like /index.html:
hostname - clk-host.us.com
OTD insatnce port - 9090
resource - index.html

http://clk-host.us.com:9090/index.html

Congrats you have done it.....!!!!!!

Enjoy :-)

Post Data Restoration and Long URL handling - OTD Webgate11g

Post Data Restoration and Long URL handling:

This feature is available in newer OTD Webgate 11g R2PS2 release dated '06/06/2014'.
While in the older OTD R2PS2 release dated '12-dec-2103', this feature is missing.

So kindly upgrade the webgate to the newer release.

To Download follow below link:
https://edelivery.oracle.com/EPD/Download/get_form?egroup_aru_number=15364661

• Open the above link & download the Part Number-  V46017-01

Note: 

1. Although it is mentioned in the download setup 'Solaris SPARC 64bit', but it is generic installer. You can use it for all platforms.
2. Currently this new OTD Webgate 11g R2PS2 is not available on OTN.

Enjoy :-)

Lock Files in OAM 11g R2PS2

Don't play with Lock Files in OAM 11g:

You must have had noticed that there are some files present in diagnostics folder or in webgate profile folder with an extension .lck.

Eg: 

polltracking.lck

oblog.log.lck

ObAccessClient.xml.lck

Basically these lock files are required by the server process so as to perform the read/write lock operations.

In case they are unable to do so, it might cause an issue.

So what could be the reason that the process is not able to acquire lock on a file and what can happen in that case.

Scenario:

1) In the Oracle Webtier instance directory we have a diagnostics folder where the logging info is captured.

Path: <MiddlewareHome>/<Oracle_WebTier>/instances/<instance_name>/diagnostics/logs/OHS/ohs1

In the above mentioned directory we have another directory having some numeric name like ->  2517662326/

So what this contains & how come this name?

• Basically this folder contains lock files which are as follows:
• polltracking.lck
• oblog.log.lck
• ObAccessClient.xml.lck

• And the name of this folder is the result of Hash done on the instance_name absolute path i.e. /scratch/ckukreja/OracleNew/Middleware/Oracle_WT1/instances/instance1/diagnostics/logs/OHS/ohs1
• So the hash of above path is 2517662326 this.

Now at the time server process is coming up, it checks for the directory path where the .lck file can be created or lock can be acquired.

As we know that webgate is integrated to the web-server like OHS, OTD, DOMINO, IIS, APACHE etc, So like in case of OHS server, the httpd.worker process looks for the directory path in following sequence:

1) Webgate Lock Directive mentioned in webgate.conf

2) Lock Directive mentioned in httpd.conf

3) Default Lock Directive

This sequence info can be found in webgate.conf file present in <MiddlewareHome>/<Oracle_WebTier>/instances/<instance_name>/config/OHS/ohs1/webgate.conf

Abstract from webgate.conf:

# WebGateLockFileDir: Optional directive specifying the location to create

# webgate lock files.

#

# If configured, then all webgate lock files will be created under

# <WebGateLockFileDir>/<Hash of WebGateInstancedir>. The hash subdir is to

# ensure uniqueness for each webserver instance and avoid locking conflicts

# if two different instances have configured the directive with same value.

#

# If the dir does not exist before, will try to create it first. If dir

# creation failed or the directive not configured, for Apache based web

# servers, will check web server's LockFile directive (also optional), extract

# its dir and use <LockFile's dir>/<Hash of WebGateInstancedir> if exists or

# created successfully.

#

# If none of above is defined or exists, then webgate falls back to old model,

# i.e. use same location as original file that lock is based upon.

#

# This directive is useful when webgate instance is located on NFS mounted

# disks and performance greatly impacted. Configure it to local dir will solve

# the issue.

#

# WebGateLockFileDir "<some_local_dir>"

So lets say we have specified the entry in the httpd.conf file:

• Under mpm worker module 
• LockFile ${ORACLE_INSTANCE}/diagnostics/logs/${COMPONENT_TYPE}/${COMPONENT_NAME}/http_lock"

Thus from here the location is identified & webgate will initialize & read-write lock to this directive only for its task.

Problem:

So what if while the server is up & running and some one tries to play with these locks intentionally or unintentionally. In that case its a problem.........!!!!!!!

Usually what we do is that we specify the lock file location to some /tmp or other directive which is listed in some cron job. And the time cron job executes it deletes the directory.

Thus while the process is running & such tampering is done, so when some user request lands to the web server, it will result in failure of user requests.

WebGate will again create this directory and subsequent calls will be success.

Precaution:

Always specify the lock file directory to such a place where it is a surety that the directory won't gets deleted while the server is running and catering users requests............................

Enjoy :-)