Showing posts with label DCC Webgate 11g. Show all posts
Showing posts with label DCC Webgate 11g. Show all posts

Thursday, 26 November 2015

OAM - allowedaccessgatelist user defined parameter

Ever wondered what this "allowedaccessgatelist" parameter does or why it is their ....... Let's understand it.....

  

First of all what does Oracle doc tell you about this paramtere;

allowedAccessGateList= Authentication Scheme challenge parameter configured with SPACE separated list of WebGate IDs defining those WebGates that are allowed to enforce authentication by this scheme. 
For example:
allowedAccessGateList=WebgateID1 WebgateID2


Where to configure it & how?

This parameter is applicable for Authn Scheme configured as user defined parameter. 
  •  for 11g -> allowedAccessGateList=WebgateID1 WebgateID2
  • for 10g -> allowedAccessGateList:WebgateID1 WebgateID2
 The only difference is that '=' is used in 11g while ':' is used in 10g

What does it do if configured?

It ensures that the no other webgate profile can use the authn scheme other than configured in this parameter.
Like;
allowedAccessGateList=WebgateID1 WebgateID2

If while accessing the resource it is found that the webgate id profile mismatches with the one configured, what will happen?

User will not be able to access the resource even if the provided creds are correct.

Demo:  

ECC & DCC : Call flow with allowedAccessGateList parameter defined in authn scheme;



Configuration Steps:

  •  Open /oamconsole

  •  I have created an auth scheme that i will use for ECC

  •  In user defined parameter define the allowedAccessGateList parameter with its value.

  •  I have already created DCC Authn Scheme that i will with for RWG protected resources.


  •  Goto ur ECC & RWG Profile in Application Domain;

  •  Assign the respective Authn Scheme in the Protected Resource Policy;


In the shown configuration, i have configured corrected webgate id in the allowedAccessGateList parameter; 
In case their is a mismatch following errors are shown by ECC & RWG webgate when protected resource is accessed:

ECC:


 

RWG:




Hope it clears the funda.... !!!!

Enjoy :-)

Sunday, 22 February 2015

Enabling DCC for OAM 11g & OIF

Enabling DCC for OAM & OIF:


This post is divided into following sections:

1) Understanding OIF
2) Installing OAM 11g, OHS, Webgate 11g
3) Integrating OIF & OAM 11g
4) DCC for OAM & OIF



Enjoy :-)

Wednesday, 14 January 2015

Configuring Detached Credential Collector Webgate 11g with Oracle Traffic Director Server

Pre-requisites:

  1. OTD is installed & is in running state.
  2. Origin Server like OHS is configured in origin server pool settings.
  3. WebGate 11g is configured with OTD - you are able to execute ECC Scenario (this step is just to verify that setup is done properly).

This chapter is divided into :

  • Configure OHS Server (here we have used OHS server as origin server with OTD)
  • Creating DCC Webgate Profile in OAM Server
  • Accessing OTD Protected resource.


Quickly i will show you the OTD Admin Console & Config done on it:







Let's begin the configuration process:


1) In order to enable DCC configuration in OTD, we need the resources used by DCC like login.pl, logout.pl etc present at OHS Server.

  • Now the question arises why at OHS not at OTD? Because in OTD we have to rely on origin server to provide the resources.
  • Now second question - from where we will get the resources. It is simple to answer. You can get these resources from OTD webgate installed directory.
bash$> ls /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso*




  • So simply copy these 2 folder in OHS server instance directory:
    • Copy the oamsso-bin folder:

bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso-bin /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/oamsso-bin/
    • Copy the oamsso folder under htdocs directory:
bash$> cp -rf /scratch/ckukreja/oracle/product/11.1.1/as_all/webgate/iplanet/oamsso /Middleware_Home/Oracle_WT1/instances/<instance-name>/config/OHS/ohs1/htdocs/oamsso/ 
  • Ok, we have the resources with us. Now it is required to config the OHS httpd.conf file.

This is what we have added:
1) 
 ScriptAlias /oamsso-bin/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin/"
    Alias /oamsso/ "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/htdocs/oamsso/"

2) 
<Directory "${ORACLE_INSTANCE}/config/${COMPONENT_TYPE}/${COMPONENT_NAME}/oamsso-bin">
    AllowOverride None
    Options None
    Order allow,deny
    Allow from all
</Directory>

  • Done.. We need to check whether we are able to access the resource. So how we will do this. Simple man - start the ohs server & access the resource.
bash$> cd /Middleware_Home/Oracle_WT1/instances/instance1/bin
bash$> ./opmnctl startall
Server started.....
    • Access the resource hit the url- http://<host:port>/oamsso-bin/login.pl

You will be able to see the login.pl resource.

2) We are done with OHS settings, now proceed to create a DCC webgate profile at OAM Server. to do this follow: Configure DCC Webgate Profile

  • Copy the created artifacts to the OTD Webgate instance directory.
bash$>cp /Middlware_Home/user_projects/domains/base_domain/output/dcc-9090/* /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/otd_instance/dcc-inst/config/

Note: My otd webgate instance is present in the otd installed directory itself. May be your directory structure might be different than mine. So no need to worry.


3) Now restart the OTD Instance:

bash$> cd /scratch/ckukreja/oracle/product/11.1.1.7.0/trafficdirector_Home_1/instances/bin/net-otd/
bash$> ./stopserv
Server Stopped....

bash$> ./startserv
Server Started....

You can restart/start/stop the otd instance from OTD Admin Console as well......

4) Access a protected resource like /index.html:
hostname - clk-host.us.com
OTD insatnce port - 9090
resource - index.html

http://clk-host.us.com:9090/index.html



Congrats you have done it.....!!!!!!

Enjoy :-)

Thursday, 11 December 2014

Configuring DCC Webgate 11g with IIS7.5 on Windows 2008 R2

 Pre-requisites:

  1. IIS Server Role is already added: In case not follow Configure IIS Server Role
  2. IIS Site is created: 
    1. IIS Site Global Configuration IIS
    2. New Site Creation
  3. IIS R2PS2 Webgate is installed & configured with the IIS Sites: Configure IIS R2PS2 Webgate 11g

Let's start the process:

  • Open OAM Console : http://host:port/oamconsole
  •  Create Webgate Agent Profile:
    • We need to create 2 profiles: One is the resource webgate profile & other is DCC webgate profile.
  •  Create Resource Webgate Profile: rwg-9090
Note: I have configured my OAM Server in Simple Mode, that's why security mode is chosen as 'simple'.
  • Create DCC Webgate Profile: dcc-9091
Note: Once you have created  the profile, to make it DCC we need to tick the detached credential collector flag.
    • Once done the change, click apply to reflect the changes.
  •  Now we need to add resources to with the DCC profile just created:
    • We need to add a few excluded resources, so that no authentication/authorization is made for them.
    •  Select the dcc-9091 profile:
    •  Let's create excluded resource:

    •  We have created following excluded resources:
      • /favicon.ico
      • /oamsso-bin/login.pl
      • /oamsso/** - Note this is an additional resource to be excluded as for IIS this needs to be excluded. Other wise for other servers it is not required.
  •  Now we need to create a DCC Authentication Scheme: This scheme will be used by resource webgate & dcc webgate both.



  • Now we need to attach the both created authn scheme with the profiles:





  •  You can see that i have created 2 IIS sites & webgate is already configured with both of them.
  • Now copy the artifacts to the webgate instance directory in the respective resource & dcc webgate sites.
    • In our setup: we have rwg-9090 for resource webgate & dcc-9091 for dcc webgate.
  • Once done, restart the IIS Server: using the command 'iisreset'. 
  • Now access the protected resource webgate url:
          http://host:9090/welcome.html
    • Did you noticed you get this login page, having url as http://host:9091/oamsso-bin/login.pl
    • This is the challenge url that we have mentioned in the dcc authn scheme.
    • With DCC webgate in picture, the oam server ip port is mot visible to the end user, that's why it is a detached credential collector. It has detached the credential collection process from the OAM Server.
    • Now it is the DCC which creates OAP/NAP connections with OAM Server.


This end's the DCC Webgate Configuration with IIS 7.5/8.5 on Windows 2008 R2.

Enjoy :-)