Leave a Comment:
29 comments
Hi,
We have a problem with our installation and like to drop a request at you.
We are installing OAM 10.1.4.3 with OID 11.1.1.3.
We are sofar that we are installing the AccessGate.
When we are adding a New Access Gate, we receive the following error:
Preferred HTTP Host must specify an existing host identifier variation, SERVER_NAME, or HOST_HTTP_HEADER
Have you seen this before?
Regards,
Andre
@ Andre,
Yes this is requirement . Define host name identifier before defining webgate
1.Launch the Access System Console and click the Access System Configuration tab.
2. In left navigation pane, click Host Identifiers.
3. Click Add to add a new host identifier.
http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2access.htm#BEIHGGAG
and
http://download.oracle.com/docs/cd/E10761_01/doc/oam.1014/b32420/v2access.htm#BEIHHDII
ReplyHi Atul,
What is the secret symmetric key generated during the agent registration used for? Is this used for encrypting the obSSOcookie. I would think the obSSOcookie would be encrypted using a session key rather than the symmetric key.
Cheers,
Dan
@ Dan,
Secret Symmetric key is used to validate identity of regsitered webgate (agent). This is just an extra security added in OAM 11g.
[…] OAM WebGate : also known as AccessGate (in 10g) or OAM Agent (in 11g) is a Web Server Plugin installed with WebServer (OHS, IIS, Apache, IBM WebServer) and communicates with Oracle Access Manager Server (Access Server in OAM10g). When user access a resource protected by Oracle Access Manager (OAM) then WebGate communicate with OAM to find how resource is protected and ask user to provide credential based on Authentication Policy set for resource. For Request flow for WebGate check my earlier post here . For overview of Agents in OAM 11g (OAM Agents & OSSO Agent) click here […]
ReplyHi Atul,
Have just bought your book which I know is going to be a great help over the next few months! However I wonder if you caould advise on the following please?
I have an OHS 11g webgate working with OAM 11.1.1.5. However, I have found that after a while, when I apply auth or authz policy changes they are not picked up by the webgate. Restarting OHS doesn’t help nor does restarting the oam_server instance. It seems that only rebooting the OAM/OID host machine fixes this problem which doesnt’ seem right! What do I need to do to propagate policy changes please?
Thanks,
Bernie
Reply@ berniej,
Policy is stored in database via oamconsole (running on admin server of weblogic)
Ideally on updating policy, it should invalidate cache from webgate. Try following after updating policy (authentication/authorization…)
1. Logout of oamconsole and login again and see if changes are visible in oamconsole
2. If not then bounce admin server and see if changes are visible in oamconsole
3. If not then raise an Service Request.
Which Operating System you are using ?
ReplyThanks Atul,
Policy changes are visible in oamconsole after logout/login so I’m pretty sure they’ve been applied to the DB. Strange thing is that after a reboot any subsquent policy changes are detected immediately by the webgate for a while but then seem to stop for some reason. I’ve also noticed that there are a lot of TCP connections to port 5575 in a TIME_WAIT state which is making me wonder if there are problems occurring with the client (webgate) connection to the oam server that build up over time resulting in a loss of connectivity and thus the webgate is unable to receive policy updates…?
OS is W2K3
Regards,
Bernie
Reply@ berniej,
You are going to right direction. Monitor network traffic betwen webgate and OAM server.
Do you see anything unusual in OAM managed server log file ?
Check chapter 13 (logging) of my book https://www.packtpub.com/oracle-identity-and-access-manager-11g-for-administrators/book for steps on how to enable logging in OAM components.
ReplyFurther update….
I think the problem is that the access server is not reading back the updated policy data from the db – this is why….
I had a response var set as $user.user_id (which is incorrect should be $user.userid). This shows as an error in the oam_server logs and causes an exception.
After correcting this and bouncing oam_server in em the error still shows on next login. How to force oam_server to re-read policy data I wonder?
Regards,
Bernie
BTW Atul, eBus12/OAM intgn book is going to be really useful 🙂
ReplyHi,
I have a configuration where there are 7 Apache servers, and 2 Access Servers.
Now how what would be the configuration of the Webgates.
Would I require to have 7 webgates installed, one for each Apache server ?
I am also in the process of configuring the WebGate, OAM Servers in the OAM Identity Asserter on the Weblogic Domain.u
What Would be the webgate name that would go into the configuration on the asserter.
Thanks
Reply@ Luke,
Are these 7 Apaches serving same content ?
Are these all 7 apaches installed on 7 different machines ?
Here is my answer based on assumption that Access Server is 11g and all 7 apache are serving same content and installed on 7 different machines.
1. Create 1 webgate instance in oam server
2. Install 7 webgates 1 with each Apache
Q: What Would be the webgate name that would go into the configuration on the asserter ?
A: There is no need to give webgate name in asserter configuration. Which documentation link you refering for Identity asserter configuration ?
Hi Atul,
My understanding is : A Web server, Application Server must be protected by a WebGate, mod_osso RESPECTIVELY that is registered with Oracle Access Manager as an agent.
For OHS(for example) we configure Webgate11g and register it in OAM.This protects the resources in OHS via Webgate.
Query : In case of mos_osso,why do we not configure the Oracle Application server BUT we configure OHS again?
Thanks!
Reply@ JJ,
mod_osso is OHS module and must be configured with OHS only .
[…] To know more about WebGate click here, here, here, and here […]
Reply[…] a Policy Enforcement Point (PEP) that is installed with Web Server. More on Agents (PEPs) in OAM here . WebGates are of version 10g (10.1.4.*), 11gR1 (11.1.1.*), or 11gR2 (11.1.2.*), to find patches […]
ReplyHi Atul,
If an organization have an external authentication system like CAS (Central Authentication System),
How can they hook into the 11g OAM
Any Ideas,
Thanks
ReplyHi Atul,
I need to protect a web application using OAM 11g, in which we have only 2 jsp’s deployed on tomcat server. One is login.jsp and the remaining is dashboard.jsp. I am validating the user against OracleDB using User table, in which we have 3 columns username,password and role.
Can you please elaborate the procedure to protect this custom java based web app with OAM 11g.
Thanks & Regards,
Gupta Katakam
[…] Oracle Access Manager (OAM) is recommended Single Sign-On (SSO) solution from Oracle, WebGate is a Agent that acts as Policy Enforcement Point (PEP) and installed with WebServer (OHS, IHS, IIS etc). To […]
ReplyHi Atul,
Env :
OAM 11gR2
OAM 10g webgate installed over apache2 webserver.
I am working on protecting a proxied url of java application deployed over JBOSS
I am using external custom authentication page in my authentication schema.
In My authentication policy I specified the successURL and Failure URL , I am able to redirect to success URL after successful authentication where as if I enter invalid credentials it was remains on the login page upto 4 invalid attempts and the 5th invalid attempt redirecting to the failure url, In the logs I found that for the first 4 invalid times I am getting Invalid credentials error and on the 5th invalid attempt it is showing invalid credentials and user locked.
Did I miss anything ?
Please advise.
Thanks,
Viruls
Virtul, this is expected behaviour. In OAM 11g, user gets locked in LDAP server (obAccuntLock or somethign like this) after 5 failed attempts. This setting is defined in oam-config.xml
ReplyAtul,
My Problem is whenever user tried with invalid credentials he should redirects to failure URL mentioned in authentication policy but in my case it is not happenning, it is only after 5 invalid attempts in a row on the same browser.
Please advise.
Thanks,
Narendra
Hi Atul,
I did the OAMwebgate 11g install and configure.And able to protect the OHS by using webgate via OAM 11g server.I am able to log into OAM Console with individual port like http://hostname:7001/oamconsole.But when i am clicking on signout button, i found the below error message on browser.Can you please help on this and greatly apprecitated..
Error Message:
===============
Error:Single Sign Off didn’t take place.
Cause:The IDMDomainAgent for SingleSignOn is not enabled,but SingleSignOff tried to access the Agent’s logout page..
Action: Enable the IDMDomainAgent or use a Webgate for SingleSignOn protection.Direct access to this page with the IDMDomainAgent is invalid.
ReplyHi Atul,
We have a requirement in OAM11g to share user session between weblogic applications and applications installed in Oracle Application Server(OAS). Weblogic hosts the portal application which will direct the user to multiple applications in OAS. Can we achieve this with webgate configuration and protecting the weblogic portal applications? Will the user session continue when the user connects to OAS applications?
Please advice, thanks much.
Regards,
Prabhu
Could you please let me know how can we create a WebGate agent using wlst, I can see “editWebgateAgent” but NO “createWebgateAgent” option, Please let me know, how to do that.
Reply@Anoop, Use RREG (Remote Registration ) to create Webgate from CLI
ReplyHi Atul,
I want to create webgate agent WITHOUT any GUI.
RREG uses the console page to create this. Is there a way to CREATE webgate agent using commands ??
Thanks Atul, Could you please let me know, how can we change the webgate mode from “open” to “simple” using CLI, I could not see any option present in “editWebgateAgent” to do this.
Reply