OHS/webgate

Thursday, September 26, 2019

9:40 PM

A WebGate is a web-server plug-in for Oracle Access Manager (OAM) that intercepts HTTP requests and forwards them to the Access Server for authentication and authorization.

 

https://www.ateam-oracle.com/the-ultimate-apacheohs11g-tuning-guide-for-oam11g-webgate

 

Typical setup of webgate/OAM:

  --  Webgate sends 302 redirect to the client so that the client will be redirected for authentication.

 

 

DCC webgate: Detached Credentials Collector

 

 

 

 

 

########################################################

cat /opt/ohs/webgate/ohs/config/np_wg.txt - for versions

${OHS_HOME}/webgate/config/simple  - .pem files

                      ${OHS_HOME}  - webgate.conf/httpd.conf

 

######################################################

${OHS_HOME}/webgate/config:

   cwallet.sso, cwallet.sso.lck, ObAccessClient.xml, oblog_config_wg.xml(do not delete), password.xml, simple(.pem files)

 

Re-register the webagnet on OAM server  (/opt/admin/oam_domain/aserver/oam_domain/output) defined in "ObAccessClient.xml"

=> Login to that server copy all files and place as above format

      copy - .pem to ${OHS_HOME}/webgate/config/simple

      incase of password change: adminconsole - security relms - myrealm - providers - OAM_$ENV - change password - restart all Admin and MS servers

      hit url on 7777 port (non-https port)

 

############################################

cd ${OHS_HOME}; cp webgate.conf webgate.conf_`date '+%Y-%m-%d-%H.%M.%S'`

vi webgate.conf

Following is to allow urls with substring containg adc.html or adc.jspx …  which interm will be used by LB Health Monitors to set status of a server.

FROM:        <LocationMatch "/*">

AuthType Oblix

require valid-user

</LocationMatch>

 

TO:    <LocationMatch "^.*(?<!\/adc\.html|\/adc\.jspx)$">

AuthType Oblix

require valid-user

</LocationMatch>

 

###########################################

 

###### Cert Install OHS12c, before running replace hostname and variables ######

#Oracle PKI Tool

#Search and Replace ALL for below....

#HOSTNAME

#USERID

#PASSWORD - get it from team. (password123)

 

sudo su - oracle

OHS_HOME="/opt/admin/ohs1_domain/config/fmwconfig/components/OHS/ohs1"

OHS_COMMON="/opt/ohs/oracle_common/bin"

 

${OHS_COMMON}/orapki wallet create -wallet ${OHS_HOME}/keystores -auto_login

PASSWORD

 

${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -dn 'CN=${HOSTNAME}, OU=Inc, O=It, L=Green, ST=CA, C=US' -asym_alg RSA -keysize 2048 -pwd PASSWORD -addext_san DNS:HOSTNAME

${OHS_COMMON}/orapki wallet export -wallet ${OHS_HOME}/keystores -dn 'CN=${HOSTNAME}, OU=Inc, O=It, L=Green, ST=CA, C=US' -request ${OHS_HOME}/keystores/${HOSTNAME}_ohs.csr -pwd PASSWORD

 

cp ${OHS_HOME}/keystores/${HOSTNAME}_ohs.csr /tmp/

chmod 755 /tmp/${HOSTNAME}_ohs.csr

 

#copy .csr from UNIX box to your local sysatem and run following in CMD prompt

******************

##cd "C:\Users\USERID\Documents"

##certreq -submit -attrib "Certificatetemplate:OpenSystemsServerCertificateSHA2" -config $CERTHOST\SHA2SubCA3 C:\Users\USERID\Documents\${HOSTNAME}_ohs.csr ${HOSTNAME}_ohs.cer

******************

#for primary server

certreq -submit -attrib "CertificateTemplate: WebServer_Basic_ApprovalReq_1" -config "$CERTHOST\SchSHA2IssuingCA1" ${HOSTNAME}_ohs.csr

#for secondary server

certreq -submit -attrib "CertificateTemplate: WebServer_Basic_ApprovalReq_1" -config "$CERTHOST\SchSHA2IssuingCA2" ${HOSTNAME}_ohs.csr

#Send a message to Information Security asking them to issue you the certificate

#copy the generated .cer from WIN to UNIX host's /tmp dir

#run below on UNIX host.

 

cp /tmp/${HOSTNAME}_ohs.cer ${OHS_HOME}/keystores

 

*******************

#${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -trusted_cert -cert /opt/Certificates/MS-Root.cer -pwd PASSWORD

#${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -trusted_cert -cert /opt/Certificates/MS-Intermediate.cer -pwd PASSWORD

#${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -user_cert -cert ${OHS_HOME}/keystores/${HOSTNAME}_ohs.cer -pwd PASSWORD

*******************

#IMPORT Organization Root and issuing Sub certificates into Keystore/wallet:

${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -pwd PASSWORD -trusted_cert -cert /opt/Certificates/SNI_CA_Certs/SrSHA2RootCA.crt

${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -pwd PASSWORD -trusted_cert -cert /opt/Certificates/SNI_CA_Certs/SrSHA2IssuingCA1.crt

${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -pwd PASSWORD -trusted_cert -cert /opt/Certificates/SNI_CA_Certs/SrSHA2IssuingCA2.crt

 

********************

#IMPORT Signed HOSTNAME Certificate generated above into Keystore/Wallet

${OHS_COMMON}/orapki wallet add -wallet ${OHS_HOME}/keystores -pwd PASSWORD -trusted_cert -cert /opt/Certificates/FINISH PATH TO DIR/HOSTNAME.cer

 

********************

#Validations

${OHS_COMMON}/orapki wallet display -wallet ${OHS_HOME}/keystores -pwd PASSWORD

${OHS_COMMON}/orapki wallet display -complete -wallet ${OHS_HOME}/keystores -pwd PASSWORD

 

********************

#CONFIGURE SSL for OHS

 

cd ${OHS_HOME}

cp ssl.conf ssl.conf.ORIG

 

vi ssl.conf      #search for SSLWallet and comment the existing and add below in new line

SSLWallet "${OHS_HOME}/keystores"

 

rm /tmp/${HOSTNAME}_ohs.csr  #also remove cer from winscp as its user owned

 

#Restart the OHS agent

/opt/ohs/oracle_common/common/bin/wlst.sh /opt/scripts/ohs_control_ohs1_domain.py stopOHS

/opt/ohs/oracle_common/common/bin/wlst.sh /opt/scripts/ohs_control_ohs1_domain.py startOHS

 

cd /opt/admin/ohs1_domain/bin; nohup ./startNodeManager.sh > /dev/null 2>&1 &

 

Created with Microsoft OneNote 2016.