Chuni Lal Kukreja Kubernetes, OAM, OAAM, OIM, Webgate,Active Directory,SharePoint,IIS Blog

Friday 5 September 2014

Configuring OAM11G R2PS2 for Impersonation Module (Integrated Mode)

Enabling Impersonation Module:

This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5

1) Registering Impersonation Module

· We need to register the impersonation module at Global level and so that other sites can configure it at their end.

· Go to the Global site level, open Modules

· Go to “Configure Native Module” (see at the top right corner)

· Click Register.

o Provide a name -> “OAMImpersonation” & path to the IISImpersonationModule.dll (present in webgate install directory).

o Press OK

o As you can see the Module is added to the list.

o But beware don’t add this module at Global Level. We only need to register it here & we will be adding this per site level.

2) Adding Impersonation Module at Site Level:

· Go to your site -> Open Modules

· Configure Native Module:

· The moment we add the module, web.config of the site gets updated.

Extract from it:

Note: The above configuration is valid for the site running in Integrated Mode.

· Thus now we have configured the IISImpersonationModule.dll with our site.

· Restart the IIS Server.

· Now we need to do some configuration at OAM Console end.

· Open OAM Console ->

1) Adding Response Header in Authorization Policy

· Go to Application Domain -> Open WebGate Profile -> Authorization Policy -> Protected Policy

Note- It is not mandate to use ‘Protected Policy’, we are using because we have explicitly not specified the Policy.

· Open Responses Tab (in authorization policy) & add a new response field.

Note: The header field name should be “IMPERSONATE” and value “$user.userid”.

· Add the Response Header & Apply the changes.

· Now at User defined parameter in Webgate Profile:

MSImpersonationCredential=clk:Welcome1

Remember: This user defined parameter contains username & password, this should be an admin user. Because an admin user has the rights to perform impersonation.

· Apply the changes.

3) Performing Impersonation:

1) Deploy the ASP.NET application in your created site.

2) Impersonation feature is activated.

3) Now we will access the resource /WebApp/default.aspx. <we have created a sample app>

o Provide login credentials – try using some other user login rather than using admin login.

o Before you sign in to the system, Open Event Viewer -> Under Windows Logs -> Click Security

o Now do the login, after user authn & authz checks, user is provided the resource access.

Note: This is a sample app created.

· Now to check whether user is impersonated or not.

For this we check the system security event logs, to see that user ‘test’ is impersonated by the admin user ‘clk’.

As we have already opened the event log viewer, now see we have an entry ‘Credential Validation’ entry log.

It shows that system is authenticating the user with credentials of the admin user ‘clk’ that we have provided in the user defined parameters.

o Now Click ‘Log on’ event log above the ‘Credential Validation’ Log. It shows that the system has authenticated the user with ‘clk’. Thus it proves that user ‘test’ has logged in to the system with the credentials of ‘clk’ thus it is impersonated.

Configure Logout URL for Webgate 10g in OAM11G Server

Let's configure logout url for Webgate 10g interacting with OAM11G server:

To let the user logout properly in Webgate 10g, it is required to do a little bit of configuration so as to have a centralized logout.

The complete URL that needs to be triggered have 2 parts - URL + QueryString
Syntax: hostname:port?end_url=<redirect_url>

Steps to do:

1) Configure logout url on OAM11g server Webgate Profile:

2) Now you need to check that logout.html page exists in your Webgate Install Dir:
a) Go to <Webgate Inst Dir>/access/oamsso/ directory
b) Check if logout.html page is present. If not than copy the logout.html page here.
b.1) You can get this page from the directory where your 10g webgate artifacts are generated.

3) Make sure you have the "/oamsso" entry check in your httpd.conf file.
    a) Goto your Web server instance directory -> <Webserver instance dir>/config/OHS/ohs1
    b) Open httpd.conf file
    c) Check the entry for 'oamsso'.

       It should look like:

       #*******Default Login page alias***
      <LocationMatch "/oamsso/*">
      Satisfy any
      </LocationMatch>

4) Now you are good to go. But remember your "end_url" is the redirect URL where you want to redirect once you are logout.

5) Cool, now access the resource. Hit the logout URL having end_url in querystring.

6) Once your are logout properly, you will see the success page.

7) To be sure shot, now again access the resource. You will be challenged for credentials again.

For more info: References
http://docs.oracle.com/cd/E17904_01/doc.1111/e15478/webgate.htm#CACBFHDC

Enjoy... :-)

Saturday 23 August 2014

Deploy OAM11g R2PS2 Webgate on IIS7.5 Windows 2008

Installing Webgate On IIS7.5 Windows Server 2008R2

This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5

1) Download the Webgate 11g R2PS2 for Windows.

2) Extract the webgate.zip.

3) Go to Disk1 folder present under webgate folder.

4) Copy the path & open command prompt.

a. Change your directory to the path copied above.

5) Now execute the setup.exe followed by jre location

o It will start the installation process.

6) Now follow the steps:

o Press Next

· Skip Software Updates

· Perquisite Checks – Proceed Next

· Installation Location: Provide the installation directory location.

· Installation Summary: Proceed Next to start the Installation

· Installation Started:

· Installation Completed:

So we are done with the Webgate Installation... Now let's proceed to Configuration Phase.. :-)

Configure Webgate with IIS7.5

1) Go to the Webgate Home Directory ->

a. It is the location where we have install the webgate.

For Eg: Our WG Home Location

C:\oracle\product\11.1.1\as_3

b. Go to the deployWebgate folder present under

C:\oracle\product\11.1.1\as_3\webgate\iis\tools\deployWebGate

c. Execute deployWebGateInstance.bat script

You can see the arguments passed to the script (self-explanatory)

d. Now we need to execute ConfigureIISWebGate.bat present under

C:\oracle\product\11.1.1\as_3\webgate\iis\tools\ConfigureIISConf

e. Your site is now mapped with the webgate. To show this mapping. Go to your webgate home location -> lib folder -> open webgate.ini

· Now we need to add artifacts to the webgate instance dir (config folder).

· Restart the IIS Server.

Guys we are done with the Webgate deployment on Windows Server 2008 R2 on IIS7.5 Web Server....!!!!!

Enjoy :-)

Thursday 21 August 2014

Creating an IIS7.5 New Site (Integrated Mode)

Creating an IIS7.5 Site in Integrated Mode:

This post is part of series Enabling Impersonation Module in OAM11G R2PS2 IIS7.5

· Go to Sites -> Right Click -> Add New Site

· Now provide the details & Press Ok. Your site is created now.

o If you explore your site, you will see that perl & cgi handler are already present.

Because we have added them at global site level already.

· Remember the name of the site created. Like we created a site with name “ecc_ship_r2ps2”.

o As this name is required at the time of webgate configuration.

1) Application Pool –

This site created above is in “Integrated Mode”.

Note: Here the .net version is v2.0 but if in future we want to use ObPrincipalModule.dll with our deployed app than this version needs to be changed to v4.0

2) Check Handler Mapping:

Go to IIS -> <Your Site> -> Open Handler Mapping

Note: In case you see that ISAPI.dll is disable, it means it is not having execute permission. Just right click & enable it.

o Give Execute Permission to it.

We are done with IIS7.5 new site creationin Integrated Mode............!!!!!!!!!!!!!!!

Enjoy :-)